MPS 3 Advanced Concepts

Advanced Concepts Guide MetaFrame Presentation Server for Windows Version 3.
MetaFrame Presentation Server 3.0 for Windows MetaFrame Access Suite
Copyright and Trademark Notice Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. Other than printing one copy for personal use, no part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Citrix Systems, Inc. Copyright 2001-2004 Citrix Systems, Inc. All rights reserved. Citrix, ICA (Independent Computing Architecture), MetaFrame, MetaFrame XP, NFuse, and Program Neighborhood are registered trademarks, and SpeedScreen is a trademark of Citrix Systems, Inc. in the United States and other countries. RSA Encryption 1996-1997 RSA Security Inc., All Rights Reserved. Trademark Acknowledgements Adobe, Acrobat, and PostScript are trademarks or registered trademarks of Adobe Systems Incorporated in the U.S. and/or other countries. Apple, LaserWriter, Mac, Macintosh, Mac OS, and Power Mac are registered trademarks or trademarks of Apple Computer Inc. DB2, Tivoli, and NetView are registered trademarks, and PowerPC is a trademark of International Business Machines Corp. in the U.S. and other countries. HP OpenView is a trademark of the Hewlett-Packard Company. Java, Sun, and SunOS are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. Solaris is a registered trademark of Sun Microsystems, Inc. Sun Microsystems, Inc has not tested or approved this product. Portions of this software are based in part on the work of the Independent JPEG Group. Portions of this software contain imaging code owned and copyrighted by Pegasus Imaging Corporation, Tampa, FL. All rights reserved. Macromedia and Flash are trademarks or registered trademarks of Macromedia, Inc. in the United States and/or other countries. Microsoft, MS-DOS, Windows, Windows Media, Windows Server, Windows NT, Win32, Outlook, ActiveX, Active Directory, and DirectShow are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Netscape and Netscape Navigator are registered trademarks of Netscape Communications Corp. in the U.S. and other countries. Novell Directory Services, NDS, and NetWare are registered trademarks of Novell, Inc. in the United States and other countries. Novell Client is a trademark of Novell, Inc. RealOne is a trademark of RealNetworks, Inc. SpeechMike is a trademark of Koninklijke Philips Electronics N.V. Unicenter is a registered trademark of Computer Associates International, Inc. UNIX is a registered trademark of The Open Group. All other trademarks and registered trademarks are the property of their owners. Document Code: May 24, 2004 3:13 pm (GG)
Contents
Contents
Chapter 1 Introduction
Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Getting More Information and Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Chapter 2
Planning Your Deployment

Hardware Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Operating System Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Planning User Capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Chapter 3
Facilitating Server Farm Communication

Understanding Zones and Data Collector Communication. . . . . . . . . . . . . . . . . . . 25 Bandwidth Requirements for Server Farm Events . . . . . . . . . . . . . . . . . . . . . . . . . 31 Implementing the Data Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Multihoming Servers in the Farm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Using DNS Servers for Client to Server Connections. . . . . . . . . . . . . . . . . . . . . . . 53
Chapter 4
Deploying MetaFrame Presentation Server

Installing and Upgrading to MetaFrame Presentation Server 3.0 . . . . . . . . . . . . . . 57 Rapid Deployment of MetaFrame Presentation Server. . . . . . . . . . . . . . . . . . . . . . 60 Other MetaFrame Presentation Server Deployment Scenarios. . . . . . . . . . . . . . . . 66 Deploying MetaFrame Presentation Server Clients . . . . . . . . . . . . . . . . . . . . . . . . 73
Chapter 5
Managing Server Farms

Management Consoles for MetaFrame Presentation Server. . . . . . . . . . . . . . . . . . 87 Administering Server Farms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Installation Manager Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Resource Manager Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Network Manager Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Using Visual Basic Scripts to Access the WMI Provider . . . . . . . . . . . . . . . . . . . 111
Advanced Concepts Guide
Chapter 6
Deploying, Publishing, and Configuring Applications

Publishing in Domains with Thousands of Objects . . . . . . . . . . . . . . . . . . . . . . . 129 Content Redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Enhanced Content Publishing and Redirection with the Web Interface. . . . . . . . 131 Configuring SpeedScreen Browser Acceleration for Published Applications . . . 136 Media Formats and Network Types Supported by SpeedScreen Multimedia Acceleration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 SpeedScreen MultiMedia Acceleration Configuration Options . . . . . . . . . . . . . . 144 Adding and Removing Users from Published Applications Using VBScript and MetaFrameCOM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 Using Installation Manager to Deploy Windows Installer Packages . . . . . . . . . . 150
Chapter 7
Optimizing MetaFrame Presentation Server Performance

Network Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Server Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Applications Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 Disk Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Memory Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 User Settings Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 Audio Recording Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 Client Audio Mapping Virtual Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 ICA Priority Packet Tagging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Load Balancing Servers Running the Web Interface . . . . . . . . . . . . . . . . . . . . . . 180
Chapter 8
Security Issues and Guidelines

Securing Your Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Security Considerations for the Data Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Network Security Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Configuring Proxy/Firewall Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 Using Smart Cards with MetaFrame Presentation Server. . . . . . . . . . . . . . . . . . . 200 Using Citrix Products in a Wireless LAN Environment . . . . . . . . . . . . . . . . . . . . 207 Deploying the Java Client using the Web Interface . . . . . . . . . . . . . . . . . . . . . . . 209
Contents
Chapter 9
Troubleshooting
Troubleshooting the IMA Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Troubleshooting Novell Directory Services Integration . . . . . . . . . . . . . . . . . . . . 216 SQL Database Replication Troubleshooting Tips. . . . . . . . . . . . . . . . . . . . . . . . . 219 Resource Manager Troubleshooting Q&A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 Trusts and User Group Access Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 Other Troubleshooting Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 Collecting Information for Citrix Technical Support . . . . . . . . . . . . . . . . . . . . . . 227
Chapter 10
Using MetaFrame Presentation Server with Novell Directory Services

Farm Layout and System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 Setting Up MetaFrame Presentation Server for Use in NDS . . . . . . . . . . . . . . . . 233 Installing the Novell Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 Using ZENworks to Simplify User Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . 239 Using MetaFrame Presentation Server in the NDS Environment. . . . . . . . . . . . . 242 Enabling NDS Usage in the Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245 NDS Usage with the MetaFrame Presentation Server Client . . . . . . . . . . . . . . . . 247 Tips and Techniques. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Chapter 11
Creating and Replicating Printers

Printer Mapping Enhancements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 Optimizing Printer Creation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 Updating Printer Properties When Users Log On . . . . . . . . . . . . . . . . . . . . . . . . . 254 Printer Driver Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Chapter 12
Replicating Data Stores Running Microsoft SQL Server

Preparing for Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Replicating a Data Store in SQL Server 2000. . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 Replicating a Data Store in SQL Server 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 Pointing Servers to the Replicated Data Store. . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Appendix A
Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 DSVIEW. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278 MSGHOOK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 QPRINTER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 QUERYDC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 QUERYDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 QUERYHR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287 SCCONFIG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289 LMNEWLOG. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 LMSWITCH. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Appendix B Appendix C
Tested Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 Error Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 IMA Error Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 Event Log Warning and Error Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304 IMA Subsystem Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310 Presentation Server Console Error Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312 Resource Manager Billing Error Codes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Appendix D
Registered Citrix Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
CHAPTER 1
Introduction
Advanced Concepts Guide for MetaFrame Presentation Server for Windows 3.0 this book is a collection of best practices, tips, and suggestions for effectively using MetaFrame Presentation Server. To get the most from this guide, you should be familiar with the concepts and configuration procedures in the MetaFrame Presentation Server Administrators Guide and the additional documentation for MetaFrame Presentation Server componentsall of which are available in the Document Center included on your MetaFrame Presentation Server CD (see below for details). Additional information is available from the MetaFrame Presentation Server readme file. See the MetaFrame Presentation Server Client readme files for known issues and work arounds. For further information or to get white papers about some of the topics discussed in this document, visit the Citrix Web site at http:// www.citrix.com. Note All terminology, product references, and recommendations are subject to change without notice.
Document Conventions
MetaFrame Presentation Server documentation uses the following typographic conventions for menus, commands, keyboard keys, and items in the program interface:
Convention Boldface Italics Meaning Commands, names of interface items such as text boxes, option buttons, and user input. Placeholders for information or parameters that you provide. For example, filename in a procedure means you type the actual name of a file. Italics also are used for new terms and the titles of books. The Windows system directory, which can be WTSRV, WINNT, WINDOWS, or other name you specify when you install Windows. Text displayed in a text file. A series of items, one of which is required in command statements. For example, { yes | no } means you must type yes or no. Do not type the braces themselves. Optional items in command statements. For example, [/ping] means that you can type /ping with the command. Do not type the brackets themselves. A separator between items in braces or brackets in command statements. For example, { /hold | /release | /delete } means you type /hold or /release or /delete. You can repeat the previous item or items in command statements. For example, /route:devicename[,] means you can type additional devicenames separated by commas.
%SystemRoot%
Monospace
{ braces }
[ brackets ]
| (vertical bar)
(ellipsis)
Getting More Information and Help

This section describes how to get more information about MetaFrame Presentation Server and how to contact Citrix.
Accessing Product Documentation

The documentation for MetaFrame Presentation Server includes online documentation, known issues information, integrated on-screen assistance, and application help. Online documentation is provided as Adobe Portable Document Format (PDF) files. Online guides are provided that correspond to different features of MetaFrame Presentation Server. For example, information about the Web Interface is contained in the Web Interface Administrators Guide. Use the Document Center to access the complete set of online guides. Be sure to read the Readme.htm file in the \Documentation directory of the product CD before you install MetaFrame Presentation Server or when troubleshooting. This file contains important information that includes lastminute documentation updates and corrections. In many places in the MetaFrame Presentation Server user interface, integrated on-screen assistance is available to help you complete tasks. For example, in the Access Suite Console, you can position your mouse over a setting to display help text that explains how to use that control. Online help is available in many components. You can access the online help from the Help menu or Help button. The Advanced Concepts Guide is available for download as a PDF file from the Support page of the Citrix Web site. Follow the links for Support > Knowledge Center > Product Documentation to navigate to the download page for this document.
Important To view, search, and print the PDF documentation, you need to have the Adobe Reader 5.0.5 or later with Search. You can download Adobe Reader for free from Adobe Systems Web site at http://www.adobe.com/.
10
Accessing the Document Center

The Document Center provides a single point of access to product documentation and enables you to go straight to the section in the documentation that you need. It also includes: A list of common tasks and a link to each item of documentation. A search function that covers all the PDF guides. This is useful when you need to consult a number of different guides. Cross-references among documents. You can move among documents as often as you need using the links to other guides and the links to the Document Center.
You can access the Document Center from your product CD or install it on your servers. To install the Document Center, select the option from the MetaFrame Presentation Server Autorun screen. To start the Document Center 1. From your product CD, navigate to the \Documentation folder. or On a server on which you installed the Document Center, select Documentation from the Citrix program group on the servers Start menu. 2. Open document_center.pdf. The Document Center appears. If you prefer to access the guides without using the Document Center, you can navigate to the component PDF files using Windows Explorer. If you prefer to use printed documentation, you can also print each guide using Adobe Reader. Note The Advanced Concepts Guide is not part of the Documentation Center at this time.
11
Getting Service and Support

Citrix provides technical support primarily through the Citrix Solutions Network (CSN). Our CSN partners are trained and authorized to provide a high level of support to our customers. Contact your supplier for first-line support or check for your nearest CSN partner at http://www.citrix.com/support/. In addition to the CSN channel program, Citrix offers a variety of self-service, Web-based technical support tools from its Knowledge Center at http://support.citrix.com/. Knowledge Center features include: A knowledge base containing thousands of technical solutions to support your Citrix environment An online product documentation library Interactive support forums for every Citrix product Access to the latest hotfixes and service packs Security bulletins Online problem reporting and tracking (for customers with valid support contracts)
Another source of support, Citrix Preferred Support Services, provides a range of options that allows you to customize the level and type of support for your organizations Citrix products.
Subscription Advantage
Subscription Advantage gives you an easy way to stay current with the latest server-based software functionality and information. Not only do you get automatic delivery of feature releases, software upgrades, enhancements, and maintenance releases that become available during the term of your subscription, you also get priority access to important Citrix technology information. You can find more information on the Citrix Web site at http://www.citrix.com/services/ (select Subscription Advantage). You can also contact your Citrix sales representative or a member of the Citrix Solutions Network for more information.
12
Customizing MetaFrame Presentation Server

The Citrix Developer Network (CDN) is at http://www. citrix.com/cdn/. This openenrollment membership program provides access to developer toolkits, technical information, and test programs for software and hardware vendors, system integrators, licensees, and corporate IT developers who incorporate Citrix computing solutions into their products. Most of the operations that you can perform using the MetaFrame Presentation Server user interface can also be scripted by using the Citrix Software Development Kit (SDK). The SDK also lets programmers customize most aspects of MetaFrame Presentation Server. The SDK is available from http://www.citrix.com/cdn/.
Education and Training

Citrix offers a variety of instructor-led training and Web-based training solutions. Instructor- led courses are offered through Citrix Authorized Learning Centers (CALCs). CALCs provide high-quality classroom learning using professional courseware developed by Citrix. Many of these courses lead to certification. Web-based training courses are available through CALCs, resellers, and from the Citrix Web site. Information about programs and courseware for Citrix training and certification is available from http://www.citrix.com/edu/.
Master page: First Cn-ChapterNumber
CHAPTER 2
Planning Your Deployment
This chapter includes recommendations for server hardware and operating system configuration and for providing adequate server capacity for user sessions. Before installing and deploying MetaFrame Presentation Server, read and consider these sections.
Hardware Configuration
Citrix recommends the following hardware configuration options to improve the performance of MetaFrame Presentation Server.
General Recommendations
Employ RAID ArraysBecause hard drives are the most common point of hardware failure in multi-processor configurations, Citrix recommends a RAID (Redundant Array of Independent Disks) setup. See the MetaFrame Presentation Server Administrators Guide for more information regarding available RAID configurations. If RAID is not an option, a fast SCSI 2, 3, or Ultra 160 drive is recommended. Faster hard disks are inherently more responsive and may eliminate or curtail disk bottlenecks. Currently 15,000 RPM hard drives are the most commonly deployed Install Multiple Disk ControllersFor quad and eight-way servers, install at least two controllers, one for operating system disk usage and the other to store applications and temporary files. Isolate the operating system as much as possible; do not install applications on the controller where the operating system is installed. Distribute hard drive access load as evenly as possible across the controllers.
Header (on master page) 14 Advanced Concepts Guide
Provide Adequate Disk Space for User ProfilesPartition and hard drive size depends on both the number of users connecting to computers running MetaFrame Presentation Server and the applications running on the server. Running applications such as those in the Microsoft Office suite can result in user profile directory sizes of hundreds of megabytes. Large numbers of user profiles can use gigabytes of disk space on the server. You must have enough disk space for these profiles on the server. Note Roaming profiles and permanent user data should be stored on a centralized file server, Storage Area Network (SAN), or Network-Attached Storage (NAS) that can adequately support the environment. In addition, this storage medium should be logically located near the servers so that minimal router hops are required and logon times are not unnecessarily increased.
Enable Disk-Write CachingUsers may experience performance improvements if disk-write caching is enabled on a servers RAID controller. For example, enabling disk-write caching can help mitigate problems users experience when many users log on at the same time.
Server Redundancy
When planning the hardware configuration of your server farm, consider the following precautions: At least one backup server should be available in the event of a production server failure. It is typical for some organizations to plan for as much as 25% redundancy within the production environment. Servers that enable access to MetaFrame Presentation Server, such as Web Interface, Secure Gateway, secure ticket authority and MetaFrame Secure Access Manager servers, serve as single points of failure if only one server is deployed with a given functionality. Deploy two or more servers to service each function to ensure continued access to the server farm.
Data Store Hardware Guidelines

The performance of various events within your MetaFrame Presentation Server 3.0 environment can be improved by increasing the CPU power and speed of the database server that hosts the data store. Testing shows that adding processors to the data store server can dramtically improve response time when multiple simultaneous queries are being executed. If the environment has large groups of servers coming online frequently, the additional processors will service the requests faster.
(on master page) Header Chapter 2 Planning Your Deployment
15
However, with serial events, such as installing or removing a farm server, the additional processors show lower performance gains. To improve the processing time for these types of events, increase the processor speed of the data store hardware platform. Note The response time of other farm events (such as recreating the local host cache or replicating printer drivers to all farm servers) is more closely related to the size of the farm rather than to the response time of the data store.
Objects in the Data Store

A major factor in determining the hardware needed to ensure proper performance of the data store is the number and size of object records in the data store. When you create an object in the Presentation Server Console by performing an action such as publishing an application or adding a MetaFrame administrator, you create a record for that object in the data store database. The objects include the following: Applications Administrators Folders Installation Manager groups Installation Manager packages Load evaluators Printers Printer drivers Policies Resource Manager metrics Servers
Some objects, such as applications and servers, create multiple entries in the data store. As the number of entries in the data store grows, the time required to search and retrieve the entries also grows. As servers are added to the farm, the data store must service more requests. Consequently, plan the data store hardware platform based on the total number of servers you plan to include in the farm. For more information about choosing a database for the data store, see the MetaFrame Presentation Server Administrators Guide.
16
The Size of Data Store Objects

The following table shows the estimated sizes of object records created in the data store for various tasks performed in the Presentation Server Console. A SQL Server 2000, Service Pack 3 database was used. Note The following measurements should be considered only as guidelines, because the size of an objects entries in the data store depends on many factors.
Task Publish an application (for example, Wordpad) Create a blank policy Configure all rules and assign policy to domain users group Create a Resource Manager application configured for one server Import a network print server/printer driver Add printer driver Add Resource Manager metric for one server (Citrix MetaFrame Presentation Server/data store bytes written/sec) Add one domain administrator as a MetaFrame administrator Configure Installation Manager properties (account, path) Add an Installation Manager package Create an Installation Manager package group Add a server folder Add an application folder Create a Load Manager load evaluator with one evaluation rule (server user load) Create an Installation Manager server group containing one server Add a server to the farm
Size of Object Record Created in Data Store (Bytes) 11338 7122 986 7467 2183 2485 1808 3164 1635 24275 4225 1188 1191 1786 1113 81891
Chapter 2 Planning Your Deployment
17
Operating System Configuration

The following Windows server operating system configuration options are recommended to improve the performance, stability, and security of your MetaFrame Presentation Server implementation.
General Recommendations
All partitions must be in Windows NT File System (NTFS) format. NTFS allows security configuration, better performance, fault tolerance, and also saves disk space usage because NTFS partitions have small and constant cluster sizes (the minimum size is 4KB). File Allocation Table (FAT) partitions require much larger cluster sizes because the size of the partition increases (with the minimum being 32KB). More space is wasted on FAT partitions because the file system requires an amount of physical disk space equal to the cluster size of the partition used to store a file, even if the file is smaller than the cluster size. For more information about cluster sizes of FAT and NTFS partitions, see Microsoft Knowledge Base article Q140365. If possible, install only one network protocol on the server. This practice frees up system resources and reduces network traffic. If multiple protocols are needed, set the bind order so that the most commonly used protocol is first. When working with Windows Terminal Services, increase the registry size to accommodate the additional user profile and applications settings that are stored in the registry. On a single-processor server, you need to reserve at least 40MB for the registry. Reserve at least 100MB on quad and eight-way servers. You can also increase performance by properly tuning the page file. For more information about the page file, see Microsoft Knowledge Base article Q197379.
Service Packs and Updates

For consistency and reduced troubleshooting, install service packs and hotfixes on all servers in the server farm. Important You can find late-breaking information and links to citical updates for server operating systems and for Citrix installation files in the online Preinstallation Update Bulletin. Open the Pre-installation Checklist to access a link to this site. You can find the checklist on the MetaFrame Presentation Server autorun screen.
18
Servers in a server farm use Microsoft Jet drivers extensively. The Microsoft Jet Database Engine is used by the local host cache on every server in the farm. It is also used when Resource Manager is installed. Citrix recommends installing Microsoft service packs for the Microsoft Jet Database Engine. Older versions contain memory leaks that appear as IMA Service memory leaks. Apply these service packs and patches before installing MetaFrame Presentation Server on the servers. See Microsoft Knowledge Base article 273772 for more information. Important A memory leak in the Microsoft Jet Database Engine is fixed in Windows Server 2000 Service Pack 2. To use MetaFrame XP Feature Release 3 or earlier versions on a Windows Server 2000 system on which Windows Server 2000 Service Pack 2 is not installed, you must install the hotfix described in TechNet article 273772, FIX: Memory Leak in Jet ODBC Driver with SQL NUMERIC or SQL C BINARY Data. MetaFrame Presentation Server 3.0 requires Windows Server 2000 Service Pack 4.
Changing the Maximum Buffer Size

The amount of memory consumed by the Citrix IMA Service can be reduced by changing MaxBufferSize in a registry entry for the Microsoft Jet 4.0 database engine. 1. Run regedt32. 2. Locate the registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Jet\4.0\Engines\Jet 4.0 3. Double-click MaxBufferSize in the right pane. 4. In the DWORD Editor dialog box, enter 0x200 in the Data box. Accept the default radix, Hex, in the Radix box. 5. Click OK. Caution Observe precautions when editing the registry. See Microsoft documentation for more information about backing up and editing the registry.
Note Installing a new Microsoft Data Access Components (MDAC) or Microsoft Jet Database Engine service pack may reset MaxBufferSize to its default setting. Be sure to check this setting after applying any MDAC or Jet updates.
19
Planning User Capacity

The number of users that a server running MetaFrame Presentation Server can support depends on several factors including: The servers hardware specifications The CPU and memory requirements of the applications that are being run The amount of user input being processed by the applications
The following sections present benchmark results regarding user capacity, examine the potential benefits of Hyper-Threading, and discuss how to achieve realistic sizing for the server by using Resource Manager.
Benchmarking Client Sessions

Citrix conducted benchmarking tests to quantify the number of simulated MetaFrame Presentation Server Client sessions that can be connected to a server and still have acceptable performance. These tests simulated users continuously working with Microsoft Office applications with a step size number of users defined as five. During each test, the following steps were taken after the first five users were logged on: 1. Launched simulated user scripts on all five sessions. 2. Opened Microsoft Excel and simulated the creation of a spreadsheet. 3. Opened Microsoft Access and simulated the creation of an Access database. 4. Opened Microsoft PowerPoint and created a presentation. Based on how long the test steps took to complete, a benchmarking score was calculated. For these tests, a score of 80 was determined as the optimal load for a server, meaning that the server had enough additional CPU and memory resources to handle spikes in performance.
Test Configuration
The benchmarking test was conducted with the following iteration structure and hardware and software configurations:
User Iteration
Step Size: five users Iterations: 36 iterations Total simulated users in this test: 180
20
Server Configuration
Dell PowerEdge 2650 Dual Intel Pentium 4 Xeon Processor: 3.06GHz with 512KB L2 Cache and 1MB L3 Cache 533MHz front side bus speed Hyper-Threading enabled 36GB HDD with Dell PERC 3/Di Raid Controller 4GB RAM 4GB page file Windows Server 2003 MetaFrame Presentation Server 3.0 Enterprise Edition Microsoft Office XP Excel XP, PowerPoint XP, and Access XP
Client Configuration
CPQ ML350 600MHz Pentium III with 256KB Cache 256MB RAM Windows Server 2000 Service Pack 4 Citrix 32-bit Program Neighborhood
Test Results
A servers degradation point was considered to have been reached when its score fell below 80. The results showed a maximum of 177 simulated users concurrently running Microsoft Office applications before this threshold was reached. In this test environment, increasing the number of concurrent users beyond this would have resulted in decreased server and, therefore, user performance.
21
Hyper-Threading and User Capacity

Hyper-Threading is technology developed by Intel and introduced in the Pentium 4 Xeon line of processors. It enables a single physical processor to appear as two logical processors to the operating system, allowing multi-threaded programs to take advantage of extra execution units on the processor and leading to performance increases for some applications, particularly those that are multi-threaded. The following test used the benchmarking procedure described above and gauged the performance benefits of Hyper-Threading a server running MetaFrame Presentation Server by comparing its degradation point to that of a server that was not Hyper-Threaded. The dual-processor server configurations that were compared in this test had Hyper-Threading enabled or disabled in their system BIOS.
Test Configuration
The test was performed on Dell PowerEdge 2650 dual processor systems with Hyper-Threading-capable Pentium 4 Xeon processors. The benchmarking test was conducted with the following iteration structure and hardware and software configurations:
User Iteration
Step Size: five users Iterations: 36 iterations Total simulated users in this test: 180
Server Configuration
Dell PowerEdge 2650 Dual Intel Pentium 4 Xeon Processor: 3.06GHz with 512KB L2 Cache and 1MB L3 Cache 533MHz front side bus speed Hyper-Threading enabled and disabled 36GB HDD with Dell PERC 3/Di Raid Controller 4GB RAM 4GB page file Windows Server 2003 MetaFrame Presentation Server 3.0 Enterprise Edition Microsoft Office XP Excel XP, PowerPoint XP, and Access XP
Client Hardware Configuration

CPQ ML350 600 MHz Pentium III with 256KB Cache 256MB RAM Windows Server 2000 Service Pack 4 Citrix 32-bit Program Neighborhood
22
Test Results
The result of this test was that the server with Hyper-Threading-enabled had a 30% performance increase over the same server with Hyper-Threading disabled. In other words, the Hyper-Threaded server was able to support 30% more concurrent user sessions before reaching its degradation point.
Configuration Hyper-Threading Disabled Hyper-Threading Enabled
Number of Simulated Users 123 +/- 1.5 177 +/- 1.5
% Difference NA + 30%
This graph shows the performance benefits of Hyper-Threading. The HyperThreaded server supported more user sessions before reaching its degradation point.
23
Using Resource Manager to Determine User Capacity

Resource Managers summary database stores information concerning CPU and memory usage for various processes running on MetaFrame Presentation Server. With this information, you can estimate user capacity of a server: 1. Add a server to the farm, or create a new farm and limit user access to approximately 20 users per processor. 2. Enable Resource Managers summary database. 3. Run tests that include the launch and use of applications running on that server. 4. Create a Crystal report that queries the information required to assess server capacity. The report should contain the following information: Average CPU and memory usage for the specific processes Average CPU and memory usage for other processes, such as Explorer.exe or Winlogon.exe A defined threshold, such as no more than 90% CPU usage and/or no more than 3GB of RAM used A calculation to extrapolate the number of users that can be divided into the threshold given the resource usage above
The longer you can use these tests, the better the data averages you can collect from the summary database.
Master page: First
CHAPTER 3
Facilitating Server Farm Communication
This chapter examines the communication that occurs between servers in a MetaFrame Presentation Server farm. Among the topics discussed are the roles of zones and data collectors in a farm, the bandwidth requirements of various types of server communication, implementing a farms data store, and multihoming servers in the farm.
Understanding Zones and Data Collector Communication

To understand server farm communication, you must be aware of how farms are divided into zones and the role that data collectors play in keeping track of changes in zones. Zones in a server farm perform two functions: Collecting data from member servers Distributing changes to all servers in the farm
All member servers must belong to a zone. By default, the zone name is the subnet ID on which the member server resides. The zone data collector maintains all load and session information for every server in its zone. Each data collector has a connection open to all other data collectors in the farm. This connection is used to immediately relay any changes reported by servers that are members of the zone by that zones data collector to the data collectors of all other zones. Thus all data collectors are aware of the licensing, and session information for every server in the farm. The formula for interzone connections is N * (N-1)/2, where N is the number of zones in the farm.
If a zones data collector does not receive communication from a server in the zone within the configured time interval, the zone data collector pings the server to verify that it is online. The default interval is once a minute. A data collector will also ping any other data collectors if it does not receive any data from the target server within the configured time interval. This interval is configurable by adding the following value to the registry. The interval, in milliseconds, is expressed in hexadecimal notation. HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\Runtime\ KeepAliveInterval (DWORD) Value: 0xEA60 (60,000 milliseconds default) In normal operation, data collectors are synchronized through frequent updates. Occasionally, an update sent from one data collector to another data collector can fail. Instead of repeatedly trying to contact a zone that is down or unreachable, a data collector waits a specified interval before retrying communication. The default wait interval is five minutes. That value is configurable by adding the following value to the registry. The interval, in milliseconds, is expressed in hexadecimal notation. HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\Runtime \GatewayValidationInterval (DWORD) Value: 0x493E0 (300,000 milliseconds)
Configuring Data Collectors in Large Zones

By default, a single zone supports 512 member servers (prior to MetaFrame XP Feature Release 3, the default was 256 member servers). If a zone has more than 512 member servers, each zone data collector and potential zone data collector must have a new registry setting. This new setting controls how many open connections to member servers a data collector can have at one time. To prevent the data collector from constantly destroying and recreating connections to stay within the limit, set the registry value higher than the number of servers in the zone. You can configure this value by adding the following value, expressed in hexadecimal notation, to the registry: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\Runtime\MaxHostAddress CacheEntries (DWORD) Value: 0x200 (default 512 entries) Note If you do not have more than 512 servers in a zone, increasing this value will not increase the performance of a zone
(on master page) Header Chapter 3 Facilitating Server Farm Communication
27
Approximating Traffic Generated by Updates to the Data Collector

When a member server updates the data collector with requests and changed data, the amount of traffic this generates is represented by the following formulas. In turn, a small amount of traffic is then sent from the data collector to the member server. This traffic accounts for approximately one half of the data sent from the member server to the data collector, so for full bandwidth utilization, multiply the number of bytes from the formula by 1.5. To approximate the amount of traffic destined for the data collector, multiply the number of bytes from the formula by the number of member servers in the zone. These numbers are an approximation from data gathered by Citrix. Actual results may vary. MetaFrame Presentation Server 3.0: Bytes = 4900 + (200*Con) + (100*Discon) + (300*Apps) MetaFrame XPe / FR3: Bytes = 6300 + (200 * Con) + (100 * Discon) + (150 * Apps) MetaFrame XPe / FR2: Bytes = 3800 + (600 * Con) + (400 * Discon) + (300 * Apps) MetaFrame XPe / FR1: Bytes = 3300 + (400 * Con) + (250 * Discon) + (150 * Apps) MetaFrame XPe: Bytes = 11000 + (1000 * Con) + (600 * Discon) + (350 * Apps) Where: Con = Number of connected sessions Discon = Number of disconnected sessions Apps = Number of published applications in the farm
28
Limiting Data Collector Communication

To maintain consistent information between zones, data collectors must relay all of their information to all of the other data collectors in the farm. Citrix recommends that you limit the use of zones to avoid the bandwidth costs associated with the replication of zone data. During a zone update, approximately the same amount of data is transmitted between data collectors, so for full bandwidth utilization, double the bytes from the following formulas. To approximate the amount of traffic across all data collector links, multiply the number of bytes obtained from the formula by the number of data collectors minus 1 in the farm. To approximate the amount of data sent between two data collectors during a full zone transfer, use the following formula: MetaFrame Presentation Server 3.0 : Bytes = 9530 + (300*Con) + (300*Discon) + (500*Apps) MetaFrame XPe: / SP3 Bytes = (7400 + (6.3 * Srv_Zone))+ (400 * Con) + (200 * Discon) + (300 * Apps) MetaFrame XPe: / SP2 Bytes = 17000 + (600 * Con) + (300 * Discon) + (600 * Apps) Where: Con = Number of connected sessions Discon = Number of disconnected sessions Apps = Number of published applications in the farm Note You can use a third-party solution, such as Packeteer PacketShaper, to dedicate bandwidth for IMA traffic, which uses port 2512 by default, to avoid flooding the network in WAN environments. Packeteer PacketShaper 5.02 automatically supports IMA traffic. You can configure other third-party solutions to recognize IMA traffic by port number.
Chapter 3 Facilitating Server Farm Communication
29
Traffic for Session-Based Events

The following tables illustrate the impact to network traffic and the amount of data transmitted for session-based events. Each time these events occur, the member server sends data to the zones data collector, which then sends data to all other data collectors in the farm.
MetaFrame Presentation Server 3.0

Event Connect Disconnect Reconnect Logoff Data transmitted (approximate) 0.51KB 0.48KB 0.47KB 0.30KB
MetaFrame XPe / Feature Release 3


30
Traffic for Inter-Zone Communication

The following tables list the amount of data sent by one data collector to another when operations are performed by the Presentation Server Console on servers that reside in different zones.

Event Presentation Server Console server query Application publishing Changing a zone data collector Data transmitted (approximate) 0.27KB 2.7KB 12KB


The bandwidth consumed when you publish an application varies depending on the number of servers in the server farm. In general, the amount of bandwidth consumed increases 390 bytes for every additional server in the server farm. Starting a new server generates the most amount of traffic to the other data collectors. Starting a new server generates about 8.9KB worth of traffic to the data collector in a default configuration.
31
Bandwidth Requirements for Server Farm Events

The following sections discuss and quantify the bandwidth requirements for normal communication in a server farm. This information can be used to determine potential bandwidth requirements for WAN-based farms. Note Data in the following sections was gathered from tests performed using a Microsoft SQL 2000 data store. These results might not apply to all situations and recommendations will vary based upon how much bandwidth is being used by other network applications.
Communication during Initial Farm Startup

The amount of data (in kilobytes) read from the data store during the initial startup of the server farm is approximated by the following formulas: MetaFrame Presentation Server 3.0: 431 + 3.15*(Srvs -1) MetaFrame XPe / Feature Release 3: 402 + 6.82*(Srvs -1) MetaFrame XPe / Feature Release 2: 456 + 22*(Srvs-1) + .0720*Apps where: Srvs = the number of servers in the farm Apps = the number of published applications in the farmin MetaFrame XP Feature Release 3 and later the number of published applications no longer applies to the equation. The following diagram shows the initial startup of a server farm:
32
When you start a server, it must initialize the IMA Service and also register with the data collector for the zone in which it resides. This communication occurs in the following sequence of events: 1. The IMA Service establishes a connection to the farms data store and then downloads the information it needs to initialize. It also ensures that the data contained in its local host cache is current. 2. After the IMA Service is initialized, the member server registers with the data collector for the zone. 3. Next, the data collector relays all of the updated information written by the member servers in the zone to all other data collectors in the farm to keep them synchronized with each other. The collector-to-collector updates are a function of the amount of information that is updated by the member server. The data collectors replicate only the items that changed; they do not replicate all their tables every time an update is sent. Note In the preceding diagram, there are only two zones. The data collector replicates only the updates it receives from the member servers once to the other data collector. If, for example, there are three zones, the data collector has to replicate the same information twice. This causes higher bandwidth consumption and places a higher load on the data collectors in the farm. The amount of data read from the data store can require higher bandwidth as the farm size increases and certain actions are executed, especially when several servers are started simultaneously. Most network traffic consists of reads from the database. Citrix recommends that the data store be replicated across all high latency or low bandwidth links. A replicated data store allows all reads to occur on the network local to the server, resulting in improved farm performance. If performance across the WAN is an issue, and having a replicated database at each site is cost prohibitive, analyze the WAN links for alternative solutions. The IMA Service start time ranges from a few seconds to several minutes. When the amount of data requested from the data store by the IMA Service is greater than the size of the pipe between WAN segments, IMA waits for all of the data, resulting in a longer startup time. Note When the IMA Service takes a long time to restart, an error message appears on the Presentation Server Console stating that the IMA Service could not be started. The event log can have a message that states that the IMA Service hung on starting. These errors are benign. The IMA Service does start properly after the requests to the data store are serviced.
33
Ordinary Farm Communication

The following figure shows the communication that occurs within a farm once it is up and running:
Every 30 minutes a coherency check is performed between the member servers local host cache and the data store. If neither has changed, this operation consumes approximately only 200 bytes of bandwidth. If the check determines that something changed, the member server searches the data store to determine what changed and updates the information in the local host cache. To ensure that the servers in its zone are functional, the data collector sends an IMAPing to each of the member servers in its zone if it has not received an update from the member server within the last 60 seconds. The data collector also asks the member server for its server load if it has not received a load update within the past five minutes. Finally, the data collectors query the other data collectors in the farm to ensure they are still data collectors, and to ensure they are still operational if they have not received an update in the last 60 seconds.
34
Event-Based Communication
Most traffic is a result of the generation of events, such as when a client connects, disconnects, or logs off. The member server sends updates about its load, license count, and so on to the data collector in its zone. The data collector in turn must replicate this information to all the other data collectors in the farm. The following diagram shows what occurs when a user logs on:
1. The client device requests that the data collector determine the least loaded servers in the farm. 2. The client then connects to the least loaded server returned by the data collector. 3. The member server then updates its load, licensing, and connected session information to the data collector for its zone. 4. The data collector then forwards this information to all the other data collectors in the farm.
35
New Data Collector Election

When a server in the farm is unable to communicate with the zone data collector, a process is initiated to elect a new data collector. The following diagram shows an example of what occurs in a farm after a new data collector is elected:
1. The existing data collector for Zone 1 has an unplanned failure, such as a RAID controller failing, and causes the server to present a fatal error. If the server is shut down appropriately, it triggers the election process before going down. 2. The servers in the zone recognize the data collector has gone down and start the election process. In this example, the backup data collector is elected as the new data collector for the zone. 3. The member servers in the zone send their information to the new data collector for the zone. 4. In turn, the new data collector replicates this information to all other data collectors in the farm. Note The data collector election process is not dependent on the data store. If the data collector goes down, sessions connected to other servers in the farm are unaffected.
36
Local Host Cache Change Events

When configuration changes are made in the Presentation Server Console, the changes are propagated across the farm using notification broadcasts. These broadcasts take place when a change is made that is under 10KB in size, which is usually the case. These broadcasts help to minimize WAN traffic and alleviate contention on the data store. If a server misses a change notification, it picks up the change the next time it does a local host cache coherency check. The following diagram shows an example of local host cache change events communication:
1. The administrator makes a change in the Presentation Server Console affecting all the servers in the farm. 2. The server that the console is connected to updates its local host cache and writes the change to the data store. 3. The server forwards the change to the data collector for the zone in which it resides. The data collector updates its local host cache. 4. The data collector forwards the change to all the member servers in its zone and all other data collectors in the farm. All servers update their local host caches with the change. 5. The data collectors in the other zones forward the update to all the member servers in their zones, and they subsequently update their local host caches.
37
Presentation Server Console Communication

When the Presentation Server Console is launched, it gathers information from several different sources. It pulls static information such as the server list from the data store, dynamic data session information from the data collector, and Resource Manager-specific information from the farm metric server. The following table illustrates consumption of bandwidth to the data store when the following actions are performed using the console:

Action Server enumeration (one server) Server details (one server) Server query Application enumeration (one application) Application query Add Resource Manager metric to application Add Resource Manager metric to application and configure Change farm metric server Any Resource Manager report on the local server Data transmitted (in KB) 0 169.88 26.10 11.97 145.06 11.33 21.95 15.88 6.58

Action Server enumeration (one server) Server details (one server) Server query Application enumeration (one application) Application query Add Resource Manager metric to application Data transmitted (in KB) 0.66 14.31 7.13 0.71 15.57 3.69
38
Action Add Resource Manager metric to application and configure Change farm metric server Any Resource Manager report on the local server
Data transmitted (in KB) 6.76 5.29 1.56

Action Server enumeration (one server) Server details (one server) Server query Application enumeration (one application) Application query Add Resource Manager metric to application Add Resource Manager metric to application and configure Change farm metric server Any Resource Manager report on the local server Data transmitted (in KB) 13 20 193 6 4 11 21 45 5.13
Tip When using the Presentation Server Console to monitor a farm at a remote site, you can conserve bandwidth across the WAN by publishing the console application on a remote server and connecting to it using a client locally.
39
Implementing the Data Store

The following sections discuss network configurations that affect the data store, setting up the data store in a Storage Area Network (SAN), and some special data store scenarios.
Data Store Network Optimizations

In large farms with powerful database servers, the network can become a performance bottleneck when reading information from the data store. This is particularly true when the database server hosts various resource-intensive databases. To find out if the network is the bottleneck, monitor the CPU usage on the data store. If the CPU utilization is not at 100% while the IMA Service is starting, and it is still in the process of starting, the network can be the bottleneck. If the CPU utilization is at or near 100%, it is likely that additional processor(s) may be needed.
Teaming Network Interface Card Configurations

To avoid a potential network bottleneck, Citrix recommends that you use a teaming Network Interface Card (NIC) solution to improve the bandwidth to the data store. NICs and switch ports should always be manually configured to support full duplex and the highest speed available on both devices. This is because the automatic sensing of router settings by the NICs does not always result in an optimal or compatible configuration. If the speed or duplex settings are configured incorrectly, frames likely will be dropped. Many servers come with two installed NIC ports. These NICs can be configured as follows, listed in the order of Citrix's recommendation: Utilize both NICs and team using switch-assisted load balancing within the same subnet if connecting to different blades within a large Layer 3 switch Utilize both NICs and team using adaptive load balancing within the same subnet if connecting to different blades within a large Layer 3 switch Utilize both NICs and configure for failover onto two separate switches Utilize one NIC and disable the second Utilize both NICs and multihome to two different subnets
If two NIC and switch ports are available, these can be teamed, configured for failover, or multihomed. Of these two options, Citrix recommends that you use NIC teaming when the switch ports are located on different blades within a large Layer 3 switch (for example, Cisco 6500 series) because NIC teaming enables both failover and redundancy in addition to higher throughput.
40
Although the Layer 3 switch does represent a single point of failure in this case, most large Layer 3 switches have an extremely low failure rate. More commonly, an individual blade may fail. If a large Layer 3 switch that supports teaming across blades is not available, a failover configuration is the best option. While multihoming is a supported practice, NIC teaming is considered to be the better option in nearly all situations. Multihoming is often configured incorrectly, and security holes could be opened because access control lists configured on the router are bypassed. If it is impossible to team the NICs and switch ports of all of the servers in the farm, Citrix recommends that you apply this recommendation to the following servers at a minimum: Data store server(s) Web Interface server(s) Secure Gateway server(s) Secure Ticket Authority server(s) Secure Access Manager server(s) Zone data collector(s)
Note Citrix recommends teaming NICs using the MAC address, not the IP address because the MAC address is not subject to modification unless the burnedin address (BIA) is modified, The MAC address is a more basic and stable configuration. Follow the switch vendor's recommended practice for manually configuring teaming or aggregating of the switch ports.
Network Fault Tolerance

Network fault tolerance functions as a failover option and provides the safety of an additional backup link between the server and the switch. If the primary adapter fails, the secondary adapter takes over with very minor interruption in server operations. When tested by Citrix, failover caused an interruption of less than 0.5 seconds and did not provide any noticeable impact on existing client sessions.
41
Transmit Load Balancing

This option, formerly known as adaptive load balancing, creates a team of adapters to increase transmission throughput and ensure that all network users experience similar response times. All adapters must be linked to the same network switch. As adapters are added to the server, they are grouped in teams to provide a single virtual adapter with increased transmission bandwidth. For example, a transmit load balancing team containing two Fast Ethernet adapters configured for full-duplex operation provides an aggregate maximum transmit rate of 200Mbps and a 100Mbps receive rate resulting in a total bandwidth of 300Mbps. One adapter is configured for transmit and receive, while the others are configured for transmit only. Adapter teams configured for transmit load balancing provide the benefit of network fault tolerance because if the primary adapter that supports both transmit and receive fails, another adapter then supports this functionality.
Switch-Assisted Load Balancing

Citrix tested data store connectivity on a 100 Mbps switched LAN. This testing was also repeated in a Gigabit Ethernet environment. It was found that two NICs that were teamed using switch-assisted load balancing; that is, 400Mbps throughput, provided ample throughput without the additional cost associated with Gigabit NICs, cables, and switch ports. However, in very large environments, Gigabit connectivity may be beneficial. Unlike transmit load balancing, you can configure switch-assisted load balancing, also known as Fast EtherChannel (FEC), to increase both transmitting and receiving channels between the server and switch. For example, an FEC team containing two Fast Ethernet adapters configured for full-duplex operation provides an aggregate maximum transmit rate of 200Mbps and an aggregate maximum receive rate of 200Mbps, resulting in a total bandwidth of 400Mbps. All adapters are configured for transmit and receive, with the load spread roughly equal. FEC works only with FEC-enabled switches. The FEC software continuously analyzes load on each adapter and balances network traffic across the adapters as needed. Adapter teams configured for FEC not only provide additional throughput and redundancy but also provide the benefits of network fault tolerance. For more information, see Citrix Knowledge Base article CTX434260 and/or contact your hardware vendor.
42
Implementing the Data Store in a Storage Area Network

A Storage Area Network (SAN) is a dedicated high-speed network that is separate and distinct from the Local Area Network (LAN). A SAN provides shared storage through an external disk storage pool. The SAN is a back-end network that carries only I/O traffic between servers and a disk storage pool while the front-end network, the LAN, carries email, file, print, and Web traffic. Implementing your server farms data store in a SAN can provide increased reliability and improved performance.
Fibre Channel Technology

The most commonly used SCSI technology for SAN implementations is Fibre Channel. Fibre Channel is the standard for bidirectional communications and it features high performance, serial-interconnections. Fibre Channel has the following capabilities: Bidirectional data transfer rates up to 200Mbps Support for up to 126 devices on a single host adapter
Communications up to 20km (approximately 12 miles) Fibre Channel implementations can use either of the following networking technologies: Fibre Channel Arbitrated Loop (FC-AL) FC-AL networks use shared media technology similar to Fibre Distributed Data Interface (FDDI) or Token Ring. Each network node has one or more ports that allow external communication; FC-AL creates logical point-to-point connections between ports. Fibre Channel Fabric (FC-SW) Fabric networks use switched network technology similar to switched Ethernet. A fabric switch divides messages into packets containing data and a destination address, and then transmits the packets individually to the receiving node, which reassembles the message. Fabric switches can cascade, allowing a SAN to support thousands of nodes.
43
Hardware Components
Storage Area Networks typically include the following hardware components: Host I/O Bus The current I/O bus standard is Peripheral Component Interface (PCI). Older standards include Industry Standard Architecture (ISA) and Extended Industry Standard Architecture (EISA). Host Bus Adapter The host bus adapter (HBA) is the interface from the server to the host I/O bus. The HBA is similar in function to a Network Interface Card (NIC), but is more complex. HBA functions include the following: Converting signals passed between the LAN and the SANs serial SCSI Initializing the server onto a FC-AL network or providing a Fabric network logon Scanning the FC-AL or Fabric network, then attempting to initialize all connected devices in the same way that parallel SCSI scans for logical devices at system startup
Cabling Fibre Channel cables include lines for transmitting and for receiving. Because of the shape, you cannot install them incorrectly. SAN networking equipment There are many similarities between a SAN and other networks such as a LAN. The basic network components are the same: hubs, switches, bridges, and routers. Storage devices and subsystems A storage subsystem is a collection of devices that share a power distribution, packaging, or management system such as tape libraries or RAID disk drives. Tape backup SANs provide easy, on-the-fly tape backup strategies. Tape backups are much quicker and consume fewer resources, because all of the disk access occurs on the SANs fiber network, not on the LAN. This allows the data store to be backed up easily even while it is in use.
44
Cluster Failover Support

The data store is an integral part of the MetaFrame Presentation Server architecture. In large enterprise environments, it is important to have the database available all the time. For maximum availability, the data store should be in a clustered database environment with a SAN backbone. Hardware redundancy allows the SAN to recover from most component failures. Additional software such as Oracle 9i Real Application Cluster or SQL Server 2000, utilizing Microsoft Clustering Services (MSCS), allows for failover in a catastrophic software failure, and in Oracles case, improves performance. Note Software such as Compaq's SANWorks may be required to manage database clusters in certain hardware configurations. Microsoft Clustering Services (MSCS), available as part of Windows 2000 Advanced Server and DataCenter products, provides the ability to failover the data store to a functioning server in the event of a catastrophic server failure. MSCS monitors the health of standard applications and services, and automatically recovers mission-critical data and applications from many common types of failures. A graphical management console allows you to monitor the status of all resources in the cluster and to manage workloads accordingly. In addition, Windows 2000 Advanced Server and Datacenter Server integrate middleware and load balancing services that distribute network traffic evenly across the clustered servers. Redundancy and recovery can be built into each major component of the data store. Deploying the following technologies can eliminate single points-of-failure from the data store: Microsoft Clustering Services Redundant hardware Software monitoring and management tools
The basic SAN configuration shown below illustrates each clustered server with dual HBAs cabled to separate FC-AL switches. A system with this redundancy can continue running when any component in this configuration fails.
45
Redundant SAN configuration SAN architecture is very reliable and it provides redundant systems in all aspects of the configuration with multiple paths to the network. Windows 2000 Advanced Server allows two nodes to be clustered. Windows 2000 Data Center allows four clustered nodes. If there is a software or hardware failure on the owner of the cluster node, the servers in the farm lose their connection to the database. When the servers sense that the connection was dropped, the farm goes into a two-minute wait period. The servers then attempt to reconnect to the database. If servers in the farm cannot immediately reconnect to the data store, they retry indefinitely, every two minutes. The servers automatically reconnect to the database, which has the same IP address, once it fails over to the other node of the cluster.
SQL
SQL clustering does not mean that both databases are active and load balanced. With SQL clustering, the only supported clustering method allows one server to handle all the requests while the other server simply stands by waiting for the other machine to fail. Note Citrix recommends that you use Windows NT authentication for connecting to the database when installing MetaFrame Presentation Server to a clustered SQL Server.
46
Oracle
Oracle Real Application Cluster (RAC) does allow true active-active clustering. As database requests are sent using ODBC, they are load balanced among the nodes of the cluster. This configuration provides both fault tolerance and increased performance.
SAN Tuning
In addition to increased reliability, you can tune the SAN to provide better database performance. When tested by Citrix, the data store was used mainly as a repository for reading configuration information. In this configuration, the number of reads far exceeds the number of writes. For optimal data access to the data store through the SAN, you can tune the array controller on the SAN for 100% reads and 0% writes. Note Tuning the SAN for 100% reads and 0% writes still allows servers to write to the data store.
47
Multihoming Servers in the Farm

MetaFrame Presentation Server includes support for multihomed servers. This section explains how to implement MetaFrame Presentation Server on a server operating with two or more network interface cards (NICs). You can run MetaFrame Presentation Server on multihomed servers to provide access to two network segments with no direct route to each. Because each separate network uses the same MetaFrame resources, the networks can access the same server farm. Running MetaFrame Presentation Server on multihomed servers also allows you to separate server-to-server communication from client-to-server communication. This scenario is illustrated in the figure below and is the subject of the examples in this section.
Multihomed MetaFrame Presentation Server Farm
Note Citrix recommends that you do not configure multihomed servers running MetaFrame Presentation Server to operate as routers (TCP/IP forwarding).
48
Configuring the Routing Table

To successfully run MetaFrame Presentation Server on multihomed servers, you may need to manually configure the local routing tables. When Windows automatically builds the servers routing tables, the resulting network card binding order and default gateway configuration may not meet your needs. For information about changing the default gateway, see Configuring a Default Gateway on page 49. When clients request a server name or published application, the server that receives the request returns the TCP/IP address of the appropriate server. The following requests from clients require address resolution: Finding the address of the data collector Finding the TCP/IP address of a given server name Finding the TCP/IP address of the least loaded server for a published application
When a server receives an address resolution request from a client, the server compares the TCP/IP address of the client to its local routing table to determine which network interface to return to the client. If the routing table is not configured correctly, the clients request cannot be filled. The figure above illustrates two multihomed servers, each with a connection to the 10.8.1.0/24 and 172.16.1.0/24 subnets. Neither server is configured to route between the two network interfaces. The process described below occurs when a client requests a response from a computer running MetaFrame Presentation Server. 1. The client with TCP/IP address 10.8.2.20 (ICA01) sends an address resolution request to the server named MFSRV01. 2. MFSRV01 has the TCP/IP address 10.8.1.3. This server also has a second NIC with TCP/IP address 172.16.1.3. 3. ICA01 is configured with MFSRV01 for its server location. ICA01 contacts MFSRV01 and requests a load-balanced application. 4. The TCP/IP address of the least loaded server hosting the requested published application must be supplied to ICA01. MFSRV01 determines that MFSRV02 is the least loaded server. 5. MFSRV02 has two TCP/IP addresses, 10.8.1.4 and 172.16.1.4.
49
6. MFSRV02 determines the source address of ICA01. The server uses its local routing table to determine what network interface should be returned to the client. In this case, the NIC configured on the 10.8.2.0/24 network is returned to the client. If there is no explicit entry for the NIC in the local routing table, the default route, configured automatically by Windows, is used. 7. MFSRV01 uses the local routing table to correctly respond with the 10.8.1.4 address when directing the client to MFSRV02. To set up a routing table on a multihomed server running MetaFrame Presentation Server, first configure a single default gateway and then add static routes.
Configuring a Default Gateway

Although Windows servers build multiple default gateways, the network binding order of the NICs in the server determine which default gateway to use. Using the example illustrated in the figure above, we selected the 10.8.1.1 address as our default gateway. However, we must move the network card operating on the 10.8.1.0/24 network to the first position in the network binding order. There may be certain environments where the configuration of the network binding order will not be sufficient for the server to function properly. For example, if you have a server with two connections to the Internet where each connection provides ICA connectivity for a diverse range of IP subnets, the server uses only the default gateway of the first NIC in its network binding order (referred to as Network 1). If the server receives a request from a client on its second NIC (Network 2) that is not the default gateway, and there is no entry in the local routing table of the server for Network 2, the response to the client request is sent through Network 1, which causes the clients request to fail. Alternatively, you can remove the additional default gateway configurations from each NIC on the server. This is done through the servers TCP/IP configuration. Using servers MFSRV01 and MFSRV02 from our example, we selected 10.8.1.1 as our default gateway for both servers and removed the default gateway setting from the NICs operating on the 172.16.1.0/24 network.
50
Running the command line utility IPCONFIG on MFSRV01 returns the following:
Windows IP Configuration Ethernet adapter Local Area Connection #1: Connection-specific IP Address. . . . . Subnet Mask . . . . Default Gateway . . DNS . . . . . . Suffix . . . . . . . . . . . . . . . . : : 10.8.1.3 : 255.255.255.0 : 10.8.1.1
Ethernet adapter Local Area Connection #2: Connection-specific IP Address. . . . . Subnet Mask . . . . Default Gateway . . DNS . . . . . . Suffix . . . . . . . . . . . . . . . . : : 172.16.1.3 : 255.255.255.0 :
Running IPCONFIG on MFSRV02 returns the following:

Windows IP Configuration Ethernet adapter Local Area Connection #1: Connection-specific IP Address. . . . . Subnet Mask . . . . Default Gateway . . DNS . . . . . . Suffix . . . . . . . . . . . . . . . . : : 10.8.1.4 : 255.255.255.0 : 10.8.1.1
Ethernet adapter Local Area Connection #2: Connection-specific IP Address. . . . . Subnet Mask . . . . Default Gateway . . DNS . . . . . . Suffix . . . . . . . . . . . . . . . . : : 172.16.1.4 : 255.255.255.0 :
51
Adding Static Routes

You can define static, persistent routes to avoid potential routing conflicts. Depending on your network configuration, adding static routes may be the only way to provide ICA connectivity to a multihomed server. The data displayed below uses the example illustrated in the preceding figure. Executing the ROUTE PRINT command from a command prompt on the routing table on MFSRV01 returns the following:
========================================================================== Interface List 0x1 ........................... MS TCP Loopback interface 0x2 ...00 a0 c9 2b f8 dc ...... Intel 8255x-based Integrated Fast Ethernet 0x3 ...00 c0 0d 01 12 f5 ...... Intel(R) PRO Adapter ========================================================================== ========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 10.8.1.1 10.8.1.3 1 10.8.1.0 255.255.255.0 10.8.1.3 10.8.1.3 1 10.8.1.3 255.255.255.255 127.0.0.1 127.0.0.1 1 10.255.255.255 255.255.255.255 10.8.1.3 10.8.1.3 1 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 172.16.1.0 255.255.255.0 172.16.1.3 172.16.1.3 1 172.16.1.3 255.255.255.255 127.0.0.1 127.0.0.1 1 172.16.1.255 255.255.255.255 172.16.1.3 172.16.1.3 1 224.0.0.0 224.0.0.0 10.8.1.3 10.8.1.3 1 224.0.0.0 224.0.0.0 172.16.1.3 172.16.1.3 1 255.255.255.255 255.255.255.255 10.8.1.3 10.8.1.3 1 Default Gateway: 10.8.1.1 ========================================================================== Persistent Routes: None
MFSRV01 is currently configured with a default gateway using the router at 10.8.1.1. Note that the second client, ICA02, is located on the 192.168.1.0/24 network, which is accessed through the router at 172.16.1.1. For MFSRV01 to have network connectivity and to avoid using the default gateway when responding to requests from ICA02, define a static route for the 192.168.1.0/24 network:
ROUTE -p ADD 192.168.1.0 MASK 255.255.255.0 172.16.1.1
52
Executing ROUTE PRINT on MFSRV01 now returns:

=========================================================================== Interface List 0x1 ........................... MS TCP Loopback interface 0x2 ...00 a0 c9 2b f8 dc ...... Intel 8255x-based Integrated Fast Ethernet 0x3 ...00 c0 0d 01 12 f5 ...... Intel(R) PRO Adapter =========================================================================== =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 10.8.1.1 10.8.1.3 1 10.8.1.0 255.255.255.0 10.8.1.3 10.8.1.3 1 10.8.1.3 255.255.255.255 127.0.0.1 127.0.0.1 1 10.255.255.255 255.255.255.255 10.8.1.3 10.8.1.3 1 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 172.16.1.0 255.255.255.0 172.16.1.3 172.16.1.3 1 172.16.1.3 255.255.255.255 127.0.0.1 127.0.0.1 1 172.16.1.255 255.255.255.255 172.16.1.3 172.16.1.3 1 192.168.1.0 255.255.255.0 172.16.1.1 172.16.1.3 1 224.0.0.0 224.0.0.0 10.8.1.3 10.8.1.3 1 224.0.0.0 224.0.0.0 172.16.1.3 172.16.1.3 1 255.255.255.255 255.255.255.255 10.8.1.3 10.8.1.3 1 Default Gateway: 10.8.1.1 =========================================================================== Persistent Routes: Network Address Netmask Gateway Address Metric 192.168.1.0 255.255.255.0 172.16.1.1 1
Configure MFSRV02 the same way. When the static routes are set up, both the clients can ping the TCP/IP addresses of both servers and the servers can ping the clients. Each server can now correctly resolve the network interface to which either client is connecting. The TCP/IP addresses that the ICA01 client can receive are 10.8.1.3 and 10.8.1.4. The TCP/IP addresses that the ICA02 client can receive are 172.16.1.3 and 172.16.1.4
53
Using DNS Servers for Client to Server Connections

When a client connects to a server or application, the client can use several methods and protocols to enumerate the server name and address where the connection is destined. This section describes how the client interacts with Domain Name System (DNS) servers and what protocols take full advantage of this implementation. In this section, the example domains used are corp.company.com and remote.company.com. The diagram below is referenced throughout this section to provide examples of usage:
A DNS interaction example
TCP/IP+HTTP and TCP/IP+SSL Connections

When using Program Neighborhood with TCP/IP sessions, the client enumerates the server through DNS first. If the server location has the NetBIOS name of the server; for example, MetaFrame1, the client queries DNS and WINS for resolution. If the server location is set to the Fully Qualified Domain Name (FQDN); that is, MetaFrame1.corp.company.com, the client queries only DNS. Using FQDN for resolution is very useful for Internet-ready connections through public networks. A significant performance gain and network traffic reduction in enumeration/ connection exists when only DNS is used. WINS was not used in the tests for this section. Note WINS Lookups are performed only if the client device has WINS addresses set in the network devices TCP/IP properties.
54
The server location settings (Custom Connection Settings/ICA Settings) can hold up to 15 server addresses; five addresses in the Primary group, five addresses in Backup1 group, and five addresses in the Backup2 group. The client resolves all addresses in the groups, even if the first address responds to the request. This resolution is done automatically by the operating system rather than by the client. If DNS round robin is not being used, Citrix recommends that all of the servers FQDN addresses are entered in the server location settings. This ensures proper communication to the farm if one of the servers becomes unavailable. By default, the Web Interface and the Program Neighborhood Agent use TCP/IP as their default ICA connection protocol. To verify that you are using the FQDN of the servers, follow the steps below: 1. Connect to http://<WI_Server>/Citrix/MetaFrame/WIAdmin. 2. Click MetaFrame Servers from the Content area. 3. Verify that the FQDNs are set for all applicable servers. If not, remove the names and add the FQDNs. 4. Click Save. 5. Click Apply Changes for the settings to take effect. These steps ensure that when using the Web Interface and the Program Neighborhood Agent the ICA file generated has the FQDN address of the server instead of a localhost resolution (if the Web Interface is installed on one of the servers) or NetBIOS name resolution. To have the Web Interface generate an ICA file that will connect to the server using the FQDN, perform the following: 1. Open the Presentation Server Console. 2. Right-click the farm and go to Properties. 3. Go to MetaFrame Settings and select the option Enable XML Service DNS address resolution. 4. Click OK to save the settings. This enables the Web Interface and Program Neighborhood Agent to generate the FQDN in the address field of the ICA file. This ensures proper resolution of the server even in dynamic environments. If the servers IP address changes and the DNS support dynamic updates, there is no need to change ICA and Web Interface configurations to support the change.
55
Program Neighborhood Agent and DNS

On a default Web Interface installation, the Program Neighborhood Agents Config.xml file is populated with the NetBIOS name of the Web Interface server. Citrix recommends that you edit this file is edited to change the NetBIOS name to FQDN. This will facilitate communications throughout DNS and HTTP(S) connections. For Web Interface 2.0 and newer products: 1. Open a Web browser and go to http://<WI_Server>/Citrix/PNAgentAdmin. 2. Go to Server Settings. 3. Verify that the Server URL contains the FQDN of the Web Interface Server. If it does not, replace the NetBIOS name with the FQDN. 4. Click Save to save the changes. This action replaces all values listed in the previous step.
DNS Round Robin

DNS round robin is used to distribute TCP/IP connections across several servers with enumeration requests distributed equally across a group of servers. This is beneficial for administrators who have more than 15 servers and would like to use all of the servers at enumeration time. In most cases, the client has to perform an enumeration of the servers in the farm to balance the server loads. To use DNS round robin, create the following DNS host (A) records in DNS1 (from the network diagram above): enum.corp.company.com IN A 192.168.1.20 enum.corp.company.com IN A 192.168.1.21 and the following DNS A host records in DNS2: enum.remote.company.com IN A 192.168.2.20 enum.remote.company.com IN A 192.168.2.21 When the records are created, you can add enum.corp.company.com and enum.remote.company.com as the Server Location for Client1. For Client2, reverse the order of the enumerator addresses: first enum.remote.company.com and second, enum.corp.company.com, to ensure that the client enumerates the corp domain only when necessary. The same applies for Client1 enumerating the remote domain only when necessary.
56
When the client attempts to connect, the DNS server returns all addresses of the farms servers. Each response from the DNS server will include the IP addresses of the farms servers. If Client1 connects to a load-balanced application, the DNS server will return the IP address for MetaFrame1 and MetaFrame2 in the first response for enum.corp.company.com. It will also return the IP address for MetaFrame3 and MetaFrame4 for the second response for enum.remote.company.com. When round robin is enabled on the DNS server, it restructures the list for each client resolution that it receives by moving the first host to the end of the list. This ensures that all the farms servers in the round robin loop alternate taking client enumeration requests. In some cases, clients will have a DNS cache enabled and they will not re-query the DNS server. By default, Windows 2000 Professional and Windows XP Professional have this feature enabled and round robin will appear to fail. To ensure that these clients always try to query the DNS server, see Microsoft Support Article Q245437 - How to Disable Client-Side DNS Caching in Windows. Important As of the 6.20.910 version of the client, if the protocol setting is TCP/ IP+HTTP and you are using DNS round robin, the connection may fail. The client will not issue a second request but it will try to connect to the published application name appending the local clients DNS suffix. The next time the user tries to launch the session; the connection will work as long as the response address is a different one. If the server farm is using Dynamic DNS (DDNS) and DHCP, the recommended best practice is to use FQDN locators in the clients. Using DNS is one of the fastest and easiest methods for ICA traffic addressing.
CHAPTER 4
Deploying MetaFrame Presentation Server
Installing and Upgrading to MetaFrame Presentation Server 3.0

This section contains information and advice for installing or upgrading to MetaFrame Presentation Server 3.0.
Pre-installation Update Bulletin

The Pre-installation Update Bulletin offers late-breaking information and links to critical updates for server operating systems and for Citrix installation files. These updates may be required to install or run the product and should be applied prior to installation. A link to the bulletin is available from the Installation Checklist. Specifically, the bulletin contains instructions and links for downloading and applying: Updates to Microsoft operating system components required to install or run MetaFrame Presentation Server Critical updates to Citrix installation packages Critical post-installation hotfixes
Installation Checklist
Before you install MetaFrame Presentation Server, Citrix recommends that you read the Installation Checklist. The Installation Checklist can be viewed by selecting View installation checklist on the MetaFrame Presentation Server Setup window that appears after inserting your installation CD. It outlines, among other items: Downloading and installing critical updates before you install the product Meeting system requirements Installing and configuring the MetaFrame Access Suite licensing Remapping server drive letters Installing MetaFrame Presentation Server Downloading and installing critical updates after you install the product
Remapping Server Drives

To change the servers drive letters, choose that option from the Autorun screen. Select the Remap Drives option from the Product Installations Screen. If you are upgrading from an earlier release, the Remap Drives option is not available from Autorun. Your existing drive mapping is preserved for the upgrade. To modify the existing drive mapping, run the DriveRemap utility (DriveRemap.exe) located in the root folder of the MetaFrame Presentation Server CD. When running DriveRemap.exe with no parameters, the drive letter choices in the pull down list may be grayed out because the existing drive letters cannot be remapped. For more detailed information, refer to Citrix knowledgebase article CTX950520 at http://www.citrix.com.
(on master page) Header Chapter 4 Deploying MetaFrame Presentation Server
59
Installation/Upgrade Considerations
The following points should be considered when installing or upgrading to MetaFrame Presentation Server 3.0: You can install or upgrade in silent mode using: msiexec /i MPS.msi /qn. If you are using unattended installation or command line parameters to install MetaFrame Presentation Server, a log file (Msi.log) is automatically created in the %systemroot% directory. MetaFrame Presentation Server 3.0 requires communication with a Citrix license server. The license server can be installed in the environment before or after MetaFrame Presentation Server is installed and the name of the Citrix license server can be provided either while you are installing or after installation in the Presentation Server Console. If you install MetaFrame Presentation Server 3.0 using silent or unattended install, you need to ensure that all the prerequisite components are installed. Run Autorun from the installation CD and select the option View installation checklist. Print a copy of the checklist for reference. Servers running MetaFrame Presentation Server should not provide any additional services, such as DHCP, DNS, and WINS. These services require additional server resources that reduce user performance. All available server resources must be dedicated to support MetaFrame Presentation Server and its associated applications. Secure Sockets Layer (SSL) settings are intentionally not migrated for security reasons. When upgrading to MetaFrame Presentation Server 3.0, reconfigure SSL manually. If you upgrade a server that does not have Installation Manager and Resource Manager installed, these components are not installed during the upgrade. To install these components, verify that an Enterprise edition license is available from the Citrix license server, and install these components using Add/Remove Programs in the Control Panel. When upgrading a farm that uses Microsoft Access as the data store, always upgrade the host server first or installation will fail.
Important MetaFrame Presentation Server 3.0 is a platform upgrade. After you install MetaFrame Presentation Server 3.0 you cannot downgrade to earlier versions of MetaFrame.
60
Rapid Deployment of MetaFrame Presentation Server

Having a means of quickly rebuilding a server running MetaFrame Presentation Server helps to minimize the impact that failures have on your users. An automated process can provide the fastest and most efficient means of building or rebuilding a server. This section covers practices regarding rapid deployment of MetaFrame Presentation Server in the enterprise environment, including the use of blade servers, server cloning, and simultaneous installations.
Using Blade Servers in a Server Farm

The use of blade servers in your farm is an ideal fit for MetaFrame Presentation Server. Blade servers have been introduced by most of the major server hardware vendors. They offer a wide range of options depending on the vendor from SAN connectivity, to storage blades, to unique imaging solutions.
Blades and Imaging

Most blade servers ship with some form of imaging software; for example: Dell Net Start, HP Rapid Deployment Pack, and IBM Director. Each of these imaging solutions offers image capture and deployment to servers. A base image can be installed on a single machine stored on the image server, and can then be deployed to all other like servers in your data center. You can image the base operating system and have the imaging software perform an unattended install of MetaFrame Presentation Server using an answer file, or you can image the system with MetaFrame Presentation Server already installed. Important If you want to have remapped drives on the server running MetaFrame Presentation Server, run the drive remap utility after the imaging process is complete.
Scripting Configuration after Imaging

If a cloned version of MetaFrame Presentation Server is deployed, you must reconfigure some settings to allow the MetaFrame Presentation Server to function properly. Most imaging software suites allow the administrator to define scripts to be run on the server after imaging completes. MetaFrame XP Feature Release 3 and later includes a utility, Apputil, that adds a server to the Configured Servers list of a published application. If the application does not exist on the server, Apputil can also be used to deploy the application as an Installation Manager package.
Chapter 4 Deploying MetaFrame Presentation Server
61
With this utility, you can script various different configurations of an installation depending on the application silo in which it resides. After the machine is imaged, the script executes and the Installation Manager package is deployed to the server. The MFCOM SDK also allows scripting of other configuration options through most kinds of scripting languages. Through the MFCOM SDK, new applications can be published, the data collector preference level can be set, load-evaluators applied, and so on. This allows the MetaFrame Presentation Server configuration changes to be applied rapidly as well. See the MFCOM SDK documentation for scripting usage.
Rip and Replace

In the event of a hardware failure, blade servers provide the opportunity to replace the server blade experiencing the failure with a new one. MetaFrame Presentation Server can then be imaged back to the new blade. If the blade server assumes the same name, it continues to function in the same capacity as the previous server running MetaFrame Presentation Server.
Server Cloning
Server cloning can provide more rapid deployment than a scripted installation. A few steps are required for cloning servers. These steps vary depending on the type of data store used for the farm, and are described in the following sections. MetaFrame Presentation Server is compatible with server cloning, but cloning software can cause the operating system or its add-ons to function incorrectly after being cloned. When using server cloning, it is important to clone one server and test its operation before deploying the rest of the farm. Also, although Citrix supports server cloning if done by documented procedures, it is considered a best practice to use an automated installation process for building and rebuilding servers so that a clean server build is assured. Caution Do not attempt to image a server with an SSL certificate installed because SSL certificates are unique to the hardware.
62
Issues to Consider before Cloning a Server

Zone settings are not retained when cloning a server. When the Citrix IMA Service on the cloned server starts for the first time, the server joins the default zone. The name of the default zone is the ID of the subnet on which the cloned server resides. When deploying images to servers on multiple subnets, assign zone information for each server after the imaging process completes. Prior to changing the Security ID (SID) on the machine used to access the Presentation Server Console, add one of the following user accounts as a MetaFrame administrator with full privileges: A domain administrator The local administrators group A local administrator from a machine where the SID is not being changed
Caution Do not attempt to use drive image software to restore an image of a server with remapped drives. Remapped drives will partially revert to the original configuration on the deployed server, rendering the server unusable. Servers with remapped drives can be duplicated using a hardware solution such as Compaq Smart Array controllers with RAID1 drive mirroring. You must complete the following tasks before re-imaging a server that is already a member of a server farm. To prepare a server in a server farm for re-imaging 1. From the Presentation Server Console, remove the list of servers configured to host any applications. 2. Remove the server from the server farm by uninstalling MetaFrame Presentation Server. 3. If the server entry still exists in the Presentation Server Console server list, right-click the server name and remove it from the server list. 4. Apply the system image and add the server to the server farm. Important If a server is not removed from a server farm before a new system image is applied to it, performance problems can result. The Presentation Server Console can display invalid data if the server is returned to the same server farm because the old servers host record in the data store is applied to the newly imaged server.
63
If cloning is not an option, you can create custom unattended installation scripts for both the operating system and applications, including MetaFrame Presentation Server. Note Removal of the WSID (workstation ID) line from the DSN file is no longer necessary when imaging and deploying MetaFrame Presentation Server.
Rapid Deployment with Microsoft Access or MSDE

When using Microsoft Access or MSDE, you must install the first server in the new server farm that will host the data store. You can image the second server in the farm for the deployment of additional servers. To image a server for rapid deployment with Access 1. Install the first server in the farm. 2. Install a second server in the farm with an indirect connection to the data store you created on the first server. 3. With the second server successfully installed and restarted, log on to the console of the second server as a local or domain administrator. 4. On the second server, delete the Wfcname.ini file, if it exists, from the root drive of the server. 5. Stop the Citrix IMA Service using the Services Control Panel. Set the start up type to manual. 6. If MetaFrame Presentation Server, Enterprise Edition components are installed, see Cloning MetaFrame Presentation Server Enterprise Edition Systems on page 65. 7. Take the image of the second server and then restart the second server. 8. Deploy the image obtained in Step 7. Important It is important that some type of SID generation utility be executed when deploying Windows Server 2000 or Windows NT Terminal Services Edition images.
64
To set up the server and verify that it is added 1. Set the SID of the server with your chosen SID generator. 2. Rename the new server with a unique name. 3. Start the Citrix IMA Service and set the service to start automatically. 4. Verify that the server is successfully added to the farm by executing qfarm at a command prompt. If the addition is successful, the newly imaged server will appear in the list of servers.
Rapid Deployment with Microsoft SQL Server, Oracle, or IBM DB2

When using Microsoft SQL Server, Oracle, or IBM DB2 for the server farms data store, you can image the first server in the farm and use it to deploy all other servers. To image a server for rapid deployment with SQL Server, Oracle, or IBM DB2 1. Install the first server in the farm. 2. When the server is successfully restarted, log on to the console as a local or domain administrator. 3. Delete the Wfcname.ini file, if it exists, from the root drive of the server. 4. Stop the Citrix IMA Service and set the start up type to manual. 5. If MetaFrame Presentation Server, Enterprise Edition components are installed, see Cloning MetaFrame Presentation Server Enterprise Edition Systems on page 65. 6. Take the image of the server and then restart the server. 7. Deploy the image obtained in Step 8. Important It is important that some type of SID generation utility be executed when deploying Windows Server 2000. To verify that the server is added 1. Set the Security ID of the server with your chosen SID generator. 2. Rename the new server with a unique name. 3. Manually start the Citrix IMA Service and set the service to start automatically. 4. Verify that the server is successfully added to the farm by executing qfarm at a command prompt on any server in the farm. If the addition is successful, the newly imaged server will appear in the list of servers.
65
Cloning MetaFrame Presentation Server Enterprise Edition Systems

If you are running Resource Manager on a server with MetaFrame Presentation Server Enterprise Edition, you must delete the local database used by Resource Manager (named RMLocalDatabase) so that the cloned server does not retain information from the server you are using as the cloning source. The RMLocalDatabase is installed in Citrix Resource Manager\LocalDB in the default installation directory, %Program Files%\Citrix. On the cloned server, the RMLocalDatabase file is recreated automatically when the Citrix IMA Service starts.
Simultaneous Installations
Citrix recommends that no more than 30 servers be simultaneously installed if you are using a high powered server for your data store, (that is, a current generation dual CPU database server or above.) For older database servers, no more than ten servers should be installed at the same time. During installation, servers must write configurations to the same indexes in the data store. The more servers installed at once, the greater the probability of creating deadlocks on the database server. Important Deadlocks occur when one server times out while waiting to write to a piece of data that is locked by another server. In this event, the IMA Service simply retries after a short interval. When you install servers to a new zone, it is best to first install a single server in the new zone. When installation of the first server in the zone is finished and the server restarts, launch the Presentation Server Console and set the server preference for the first server in the zone to Most Preferred. This avoids problems with new servers in the zone becoming the zone data collector during installation. Important When creating a new farm, the first server installed in the first zone is automatically configured with a server preference of Most Preferred. Therefore, the process of setting the server preference described above applies only when creating additional zones.
66
Other MetaFrame Presentation Server Deployment Scenarios

In addition to the rapid deployment scenarios described above, there are a number of other scenarios for deploying MetaFrame Presentation Server to your farm.
Deploying with Installation Manager

Installation Manager can be used to deploy the Windows Installer package that upgrades MetaFrame XP Feature Releases 2 and 3 servers to MetaFrame Presentation Server 3.0. Note MSI 2.0 must be installed on all the MetaFrame XP Feature Release 2/ Service Pack 2 servers in the farm you plan to upgrade. If you already have MSI 2.0 installed, skip the instructions to install MSI 2.0. The MSI 2.0 install program Instmsiw.exe is lin the Support\msi20 folder on the MetaFrame XP Feature Release 3 CD. To install MSI 2.0, do one of the following: Copy the Intmsiw.exe file from the support\msi20 folder of the MetaFrame Presentation Server CD to the target servers and then execute the file. Create an unattended installation package for the MSI 2.0 install using the Installation Manager Packager and deploy it to the target servers. The /q option can be used for unattended installation.
Note Citrix recommends that the Force reboot after install option is set in Installation Manager when scheduling the installation. Before you Begin Ensure there are no users logged on to the servers, because the upgrade installation requires a server restart. Ensure the network account being used for Installation Manager package deployment is a member of the Local Administrators group on each target server.
67
To create a transform file for upgrading to MetaFrame Presentation Server. 1. Use a transform editor to create a transform file using Mps.msi. Use the transform editor of your choice. If you use Microsoft Orca as your editor, use Version 2.0.26 or higher. 2. From within the editor, choose the Property table in Mps.msi. 3. Generate a transform file with all desired changes in property values and save it as Mpstransform.mst. Do not alter the original Mps.msi file. Note Transform templates are provided in the Support\install directory on the MetaFrame Presentation Server CD. The first server installed should use use the Point for LicenseServerChoice setting with a valid license server name provided in LicenseServerName. The other servers joining the same farm should use UseFarmSettings with no license server name required. Follow the directions above to create two transform files; one for the first server you upgrade and a second transform file for all remaining servers in the farm. To upgrade to MetaFrame Presentation Server Follow the directions below to add two Installation Manager packages to the Presentation Server Console; one for the first server you upgrade, using the transform that specifies the license server name and a second package using the second transform file created for the remaining servers in the farm. 1. Copy the contents of the MetaFrame Presentation Server CD to a file share on a network share point. 2. Copy the MST file to the folder that contains the Windows Installer package (Mps.msi). 3. Ensure there are no users logged on to the target servers. 4. Use the Presentation Server Console to connect to the server farm; in the left pane click Installation Manager. The Installation Managers network account must have administrators privileges on each target server and must have permission to access the files on the network file share. This cannot be a NetWare Account. 5. Add the Mps.msi package to the Installation Manager database. When prompted to add transforms, click OK. 6. Add the MST file to the Windows Installer package. This MST file must be located in the same directory as the MetaFrame Presentation Server Windows Installer package or the deployment will fail. 7. Deploy the Windows Installer package to the target servers.
68
8. When the deployment is complete and the servers restart, log on to the server farm from the Presentation Server Console. 9. If any server is not included in the package deployment (for example, if you are using the Management Console from a server in the server farm), upgrade that server to MetaFrame Presentation Server 3.0, either from the files on the network share or by logging on to a different server and deploying the package to the server.
Deploying with Active Directory

Follow these guidelines when deploying MetaFrame Presentation Server using Active Directory: Place target and source servers in the same domain. The source server and any transforms to be applied must be members of the same domain as the servers to which you are deploying. Enable the Windows Installer Logging because Active Directory does not notify the user if a deployment fails.
To enable Windows Installer Logging 1. Run regedt32. 2. Locate the registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ Installer 3. Right-click in any blank space on the right window and select String Value. 4. Name the string value Logging and then click OK. 5. Double-click the new Logging value and enter the string iwearucmopv as the Value Data. 6. Restart the system so the new registry value can take effect. Caution Ensure Windows Installer Logging is turned off at the end of the procedure or all Windows Installer deployments are logged. When you enable logging using this procedure, log files are stored in the directory %SystemRoot%\Temp. Open the log file and search for the line above Return Value 3 to determine why a deployment failed.
69
Deploying with Computer Associates Unicenter

This section describes the basic steps for deploying MetaFrame Presentation Server using Computer Associates Unicenter's Software Delivery product. For more detailed information, see the Unicenter documentation available from the Computer Associates Web site at http://www.ca.com. 1. Edit any Windows Installer transforms to be applied to the MetaFrame Presentation Server Windows Installer installation package. Sample transforms that you can edit to fit your installation scenario are included on the MetaFrame Presentation Server CD in the support\install folder. For more information about the Windows Installer package and the sample transforms, see the MetaFrame Presentation Server Administrators Guide. 2. Copy the MetaFrame Presentation Server Windows Installer installation package and your customized transforms to a directory on the source server. Citrix recommends that you copy these files to the servers root directory. Copy the installation package and transforms to the same directory. 3. Install the Unicenter Software Delivery Agent on each server on which you want to install MetaFrame Presentation Server. Consult the Computer Associates documentation for information about unattended installation of the agent. 4. Create a new volume using the Software Library node. In the Register Software dialog box, enter the name MetaFrame Presentation Server and the version 1.0. A node is created with this name. 5. On the General tab of the Register Procedure dialog box, choose the Install task and select Windows 32-bit from the list of operating systems. 6. On the Embedded File tab, enter Mps.msi in the File field. In the Subpath field, enter the path to the location of the MetaFrame Presentation Server installation package and transforms. If you copied these files to the server's root directory, enter a backslash (\). 7. Select Install for the MSI method. In the Transforms field, enter the name of any customized transforms you created using the sample transforms from the MetaFrame Presentation Server CD. 8. On the Options tab of the Register Procedure dialog box, select all logging options. Click OK to close the Register Procedure dialog box. 9. Right-click the MetaFrame Presentation Server node and select Seal. 10. Deploy the MetaFrame Presentation Server package. You can drag and drop the package to the target servers listed under the All Computers and Users node.
70
Deploying from an Administrative Share Point

MetaFrame Presentation Server for Windows supports the installation of the Windows Installer package from an administrative share point. Use the following command to create the administrative share point: Msiexec.exe /a [path] mps.msi You can use the MetaFrame Presentation Server for Windows setup properties parameter to create a customized administrative share point that can be used to deploy MetaFrame Presentation Server. You can create an administrative share point to install the first server and create the server farm. Another share point can be created to be used to install the servers that join the server farm. In this scenario, you will not need to fill in all the setup properties during the actual installation time. All you need to do is run a silent installation from the administrative share point. Below is a sample command line to create a customized administrative share point. This command line example creates an administrative installation share point that can be used to install MetaFrame Presentation Server that creates a farm using a third-party database (SQL) as the data store:
msiexec /a mps.msi /l*v c:\msi.log TARGETDIR="Y:\wh32\sqlnt2k_1" INSTALLDIR="c:\Citrix\" CTX_MF_FARM_SELECTION="Create" CTX_MF_CREATE_FARM_DB_CHOICE="Thirdparty" CTX_MF_ZONE_NAME="SQLZONE" CTX_MF_SILENT_DSNFILE="c:\sql.dsn" CTX_MF_ODBC_USER_NAME="username" CTX_MF_ODBC_PASSWORD="password" CTX_MF_NEW_FARM_NAME="FarmSQL" CTX_MF_USER_NAME="Uname" CTX_MF_DOMAIN_NAME="dname" CTX_MF_SHADOWING_CHOICE="Yes" CTX_MF_SHADOW_PROHIBIT_REMOTE_ICA="No" CTX_MF_SHADOW_PROHIBIT_NO_NOTIFICATION="No" CTX_MF_SHADOW_PROHIBIT_NO_LOGGING="No" CTX_MF_XML_CHOICE="separate" CTX_MF_XML_PORT_NUMBER="2000" CTX_MF_NFUSE_DEF_WEB_PAGE ="No" CTX_MF_LAUNCH_CLIENT_CD_WIZARD="No" CTX_MF_TURN_FEATURE_RELEASE_ON="Yes" CTX_MF_SERVER_TYPE="E" CTX_MF_REBOOT="Yes" CTX_MF_PRODUCT_CODE="0D00-06A7" CTX_MF_ADD_LOCAL_ADMIN="Yes" CTX_MF_LIC_CHOICE_FOR_CREATE=Point CTX_MF_LICENSE_SERVER_NAME=[LicenseServerInUse] CTX_RDP_DISABLE_PROMPT_FOR_PASSWORD="Yes" CTX_MF_ENABLE_VIRTUAL_SCRIPTS="Yes"
Note You can also create customized administrative share points using transform files. Refer to the MetaFrame Presentation Server Administrators Guide for further information.
71
Deploying with Oracle Real Application Clusters

For MetaFrame Presentation Server for Windows, Citrix configured an Oracle Real Application Cluster (RAC) environment using an EMC2 Celerra Network Enterprise Server for the shared disk subsystem. The configuration tested used the Oracle Cluster File System (CFS) on Oracle servers running Microsoft Windows Server 2000 Service Pack 3. When using an Oracle RAC configuration, all Oracle server nodes actively process requests against the same backend database. Running with a RAC configuration provides the following benefits: All nodes can run using the same Oracle Home executable files. Using shared executables guarantees that all nodes are using the same version and decreases upgrade time. All nodes can simultaneously access the same data, providing multiple frontend servers to access the data. This provides exceptional performance gains with read-intensive database operations. Requests are automatically load-balanced across active nodes. New requests to a failed server are automatically routed to a surviving node.
In addition to the fault tolerance benefits, using a RAC cluster for the MetaFrame Presentation Server data store provides improved response time for the IMA Service on startup and during read-intensive operations such as updates.
Test Environment
Two Cluster Servers with the following configuration:
Compaq ProLiant 1850R Dual P3 600Mhz 1GB RAM 16GB SCSI local disk Emulex LightPulse 9000 Host Bus Adapter (HBA) connected by Fiber Optic cable directly to the EMC2 Celerra One 100Mbps Compaq NIC used for both normal and cluster communication
One EMC2 Celerra Enterprise Network Server with the following configuration:
51GB partition available to the cluster servers Arbitrated Loop SAN configuration Dedicated Fiber Adapter (FA) ports for access by the Emulex HBA cards
72
The Oracle CFS Software

The software for the Oracle Real Application Clusters, Cluster File System for Windows NT or Windows Server 2000, can be downloaded from Oracle. The download includes updates for the software provided on the Oracle 9iR2 CD media and the installation instructions in a file named Ocfs_relnotes.pdf that contains pertinent information about setting up the CFS environment. Failure to follow the guidelines explained in this document may result in a failed Oracle RAC installation.
Process Overview
The following section lists the steps outlined in the ocfs_relnotes document. For a more complete explanation of the steps, refer to that document. 1. Configure a physical connection to the shared disk subsystem. 2. Configure the shared disks on Windows Server 2000. 3. Install Oracle Cluster File System (CFS). 4. Install Oracle 9iR2. 5. Patch the Oracle RAC files. 6. Reconfigure the Oracle listeners. 7. Create the database using the Database Configuration Assistant (DBCA). 8. Create a Tnsnames.ora file for the cluster configuration. 9. Install MetaFrame Presentation Server 3.0.
73
Deploying MetaFrame Presentation Server Clients

MetaFrame Presentation Server contains Microsoft Windows Installer (MSI) packages for both Program Neighborhood and the Program Neighborhood Agent. The following section describes how to deploy the clients to various client devices using both the Windows Installer service and Active Directorys IntelliMirror.
Silent Client Installations Using Windows Installer Packages

This section describes how to create Program Neighborhood Agent, Program Neighborhood, or Web Client Windows Installer packages for use in a silent installation with the Windows Installer service. A silent installation is an installation without user interaction. With Version 8.x of the MetaFrame Presentation Server Client Packager, adminstrators can create custom client Windows Installer packages to install any or all of the available clients: Program Neighborhood Agent, Program Neighborhood, or Web Client. With these client packages, you can also preselect information that is usually prompted for, such as Web Interface Server. With Version 8.x, after creating a custom client package you can use SMS, Active Directory, or Installation Manager to deliver the new clients without any user interaction.
Requirements
MetaFrame Presentation Server Client Packager (Version 8.x) Microsoft Windows Installer (Version 2.0 or above)
To create a custom client package 1. Insert the MetaFrame Presentation Server Component CD in the CD-ROM drive, select MetaFrame Presentation Server Clients, and then select Create a custom Windows client installation package. -orLocate the Ica32pkg.msi file on the client CD in the ICAINST\en\ica32\ directory and from a command line, type msiexec /a <path to msi file>\ica32pkg.msi. 2. Select Next on the Welcome screen. 3. Select a Network installation point and what kind of Windows installer package you want to create and click Next. 4. Accept the Licensing Agreement and click Next. 5. Select which client or clients you want to include in the package, select the install location, and click Next.
74
6. If installing Program Neighborhood, select the Server URL for Web Interface and click Next. 7. Select the Program Folder name and click Next. 8. Select whether or not to use the machine name or let the user specify and click Next. 9. Select whether or not you want to use the local name and password and click Next. If you select Yes, a checkbox appears allowing you to use Kerberos only as the single sign-on method. 10. Select whether to upgrade or overwrite existing clients and click Next. 11. The Select User Dialog Boxes screen allows you to select the dialog boxes and options you want the user to see when installing the custom package. To make the installation silent, select Remove All and click Next. 12. Click Next for the Installation Summary screen. 13. The custom client package is created and saved in the directory specified in Step 3.
Deploying the Client Package

Because all dialogs are hidden, there is no need to add any additional command-line switches to install the MSI file in silent mode. When the user double-clicks the Custom ica32pgk.msi or when its deployed by SMS, Active Directory, or Installation Manager, the client or clients are installed silently and the client or clients will contain all preconfigured information.
General Notes about Custom Client Packaging

The new client package is named Ica32pkg.msi unless it was changed. This may cause some confusion because the original file on the Component CD is also Ica32pkg.msi. The network installation point selected must be accessible by all users installing the Windows Installer package.
75
Program Neighborhood Agent as a Pass-Through Client

You can choose to install Program Neighborhood Agent to be used as a passthrough client on the server during the MetaFrame Presentation Server installation. This allows users to connect to the server desktop and use the functionality of the Program Neighborhood Agent. To install the Program Neighborhood Agent, select the Program Neighborhood Agent component during the MetaFrame Presentation Server installation and select Will be installed on local hard drive. Note Program Neighborhood Agent is not selected to be installed by default during a MetaFrame Presentation Server installation. If you install the Program Neighborhood Agent, you are prompted later during Setup to enter the URL of the server running the Web Interface for MetaFrame Presentation Server. This server hosts the Program Neighborhood Agent configuration file. By default, MetaFrame Presentation Server attempts to resolve the localhost as a server running the Web Interface. If you did a fresh install and didnt choose to install the Program Neighborhood Agent, or did an upgrade, you can install the client after MetaFrame Setup. To install the Program Neighborhood Agent after installation 1. In Control Panel, launch Add/Remove Programs. 2. Select Change on Citrix MetaFrame Presentation Server for Windows entry name. 3. Select to Modify the Windows Installer packages installed on the system and click Next. 4. Select the Program Neighborhood Agent component, select Will be installed on local hard drive, and click Next. 5. Enter the server URL for the Web Interface Server or leave as localhost if Web Interface is installed on the same computer as MetaFrame Presentation Server. 6. Select whether or not to enable pass-through Authentication and click Next. 7. Verify the component changes and click Finish.
76
Dynamic Client Name and Machine Name

Dynamic Client Name is a feature that is included in clients Version 7.00 and later. Previous versions of the clients reported only the client name that was statically configured during installation of the client and stored in the Wfcname.ini file. If the Dynamic Client Name feature is not enabled, the client name that is reported to the MetaFrame Presentation Server when connecting to a session is stored in the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\ClientName When the Dynamic Client Name feature is enabled, the client calls the Windows function GetComputerName, which retrieves the computers NetBIOS name and reports it to the server. Dynamic Client Name can be enabled or disabled during the installation process. In Program Neighborhood, you can change this option after installation by selecting Dynamic Client Name under Tools > ICA Settings > General. In all other clients, including Program Neighborhood Agent, you can enable or disable this feature by deleting or creating the HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\ClientName registry value. These changes take effect on all new connections. Note Earlier releases of the clients (prior to Version 6.30) stored the client name in the C:\wfcname.ini file.
CAB-Based Client Packages

Three different CAB packages for the clients are shipped with MetaFrame Presentation Server 3.0: Wfica.cab: The full Program Neighborhood (3.97MB). Wficat.cab: The Web Client (2.2MB). Wficac.cab: The minimal Web Client (1.3MB). This is the new zero install client that customers requested.
There are several benefits to the (Active-X) Web clients (Wficat.cab and Wficac.cab). For example: The user doesnt initiate the installation. The browser (Internet Explorer) initiates the installation on a need-to-download-and-install basis. The CAB file package installation is fast because it is limited in size. The CAB file is unpackaged in a temporary directory, leaving no or little footprint on the target desktop. Changes made to a desktop are none or minimal (registration of ActiveX ICA control).
77
Along with the benefits, trade-offs were made to keep the Web clients package small and efficient. Because a smaller footprint means a reduction in size of the client package, certain features from the full-fledged client represented by Program Neighborhood or Program Neighborhood Agent are not available for the two smaller sized CAB-based client packages (Wficat.cab and Wficac.cab).
Supported Features
The following features are supported by the Wficat.cab installation: Client engine Thinwire Client drive mapping Licensing Connection Center Runtime Manager Auto-client reconnection Zero Latency Font Manager Client Audio Mapping Client Printer Mapping Universal Printer Driver Client COM port mapping Netscape plug-in Protocol Driver (128-bit) Protocol driver (old compression) Smartcard support Active X control ICA Client Object SSL support Auto-client update Name Resolver (TCP/IP) Name Resolver (HTTP) INI files
78
Support DLLs TCP/IP protocol support
In addition to the features above, the following new features for MetaFrame Presentation Server 3.0 are also supported: Bi-directional Audio Session Reliability Dynamic Session Resizing New logon look and feel Client engine Thinwire Client drive mapping Licensing Connection Center Runtime Manager Auto-client reconnection Client Printer Mapping Smartcard support Active X control ICA Client Object SSL support Name Resolver (TCP/IP) Name Resolver (HTTP) INI files Support DLLs TCP/IP protocol support.
The following features are supported by the Wficac.cab installation:
In addition to the features above, the following new features for MetaFrame Presentation Server 3.0 are also supported: Session Reliability Dynamic Session Resizing New logon look and feel
79
Unsupported Features
Wficat.cab: The new MetaFrame Presentation Server 3.0 SpeedScreen Multimedia Acceleration feature is not supported. Wficac.cab: The following features are not supported: Zero Latency Font manager Client Audio Mapping Universal Printer Driver Client COM port mapping Netscape Plug-in, Protocol Driver (128-bit) Protocol Driver (old compression) Auto Client update
In addition to the features above, the following new MetaFrame Presentation Server 3.0 features are also not supported: SpeedScreen Multimedia Acceleration Bi-directional audio
Wficac.cab Considerations
Listed below are some of the known issues and considerations regarding the new Wficac.cab file, coupled with any known workarounds.
Upgrade Considerations
1. If one version of the client is already installed on the target machine, the same version CAB-based Web Client package is not downloaded and installed by the Internet Explorer browser. 2. For the same version of Web Client installed on a target machine installed by the thin CAB file, users cannot install the Web Client by the thick CAB file if there is a need to use more features. The version numbers on the CAB files remain the same and Internet Explorer will not download and install the thick CAB-based client. Workaround: Users must uninstall the thin CAB-based Web Client using Add/ Remove Programs in the Control Panel and then visit a Web page that points them to the location to download the full version of the Web Client.
80
3. If a lower version of the full Web Client is installed on the target machine and users visit a Web page that points to a higher version CAB-based Web Client, Internet Explorer always prompts users to download and install the latest Web Client, leading to multiple client installations on the target machine. Workaround: Uninstall the Web Client and then visit the Web page pointing to a higher version CAB-based Client. Note By installing a smaller CAB client, even if it is a higher version, some features are lost due to the streamlining of the client.
Limitations/Constraints of WficaC.cab
1. The CAB-based ActiveX Web Client requires permission to download an ActiveX control using Internet Explorer. The user needs the appropriate level of permissions to create subkeys under HKEY_CLASSES_ROOT registry to correctly register the ActiveX control and to register the .ica file type extension to support launching of ICA connections outside the browser. 2. Internet Explorer 5.0 or later is the only supported browser for these versions of the CAB-based client. 3. Only a limited number of client features are available in the minimal Web client.
Deploying Clients Using Active Directory

Active Directory can be used to deploy Program Neighborhood Agent and Program Neighborhood. This section describes how to publish or assign an application for a group of users or computers using Active Directory. The Microsoft definition of publish is to make an application available to a user for installation through Add/Remove Programs or by launching a file associated with the application. If the Windows Installer package is assigned to a user, whenever the user logs on to a workstation, the Windows Installer service advertises the set of applications that are listed in the Active Directory Organizational Unit for that particular user. Advertising means that the class IDs, extensions, and shortcuts are installed for the user so that when the user doubleclicks a file with an associated extension, or double-clicks the advertised shortcut, the application is fully installed for that user. For more information regarding assigning and publishing applications to users and computers using Active directory group policies, refer to the Windows online documentation.
81
Requirements
Program Neighborhood Agent (Version 7.00.13547 or later). Program Neighborhood (Version 7.00.13547 or later). Web Client (Version 8.x or later). Windows Installer Service. The Windows Installer service (Msiexec.exe) is present by default on computers running the Windows 2000 Server or Windows 2003 Server operating systems. If the client device is running Windows NT 4.0 or Windows 9x, you must install Windows Installer Version 2.0 or higher.
To deploy the Client Windows Installer package on a computer or set of computers 1. Verify that your client device does not have a client installed. 2. Join an Active Directory domain. This allows you to assign or publish a Windows Installer application for computers and users in that domain or in an organizational unit within the Active Directory domain. 3. On a machine that belongs to the Active Directory domain, launch the Microsoft Management Console (MMC) and load the Active Directory Users and Computers snap-in or go to Start > Programs > Administrative Tools > Active Directory Users and Computers. 4. For this example, create a new Organizational Unit (OU) called MSI test and a new user called MSIuser. Go to the Computers group and find the machine you added to the Active Directory domain. Right-click the machine and select Move. Select the MSI Test folder and click OK. Follow the same steps to add the new user from the Users group to the new OU folder. Note The above step is necessary to test a contained number of users and computers. In the next step we will edit the Group Policy of that container to ensure that any changes made to the Group Policy will not affect the rest of the Active Directory domain. 5. Right-click the MSI test OU and go to Properties. From the Group Policy tab, create a new Group Policy Objects Link called MetaFrame Presentation Server Client Install. 6. Select the MetaFrame Presentation Server Client Install policy and click Edit. Under Computer Configuration > Software Settings > Software Installation, right-click Software Installation, and select New > Package.
82
7. Browse to a network share containing the Ica32pkg.msi file, select the Windows Installer package, and set the deployment method to Assigned. This step ensures that all environment settings are present for the Automated Install for the client. Click OK. Software Installation displays a software package assignment for deployment. 8. Restart the client device. As the client restarts, Active Directory Group Policy automatically installs the client on the computer. In the Windows Startup dialog box, a message appears telling you that the client is being installed by Remote Managed Applications. This message appears before the logon dialog box appears. 9. Log on to the client device and verify that the client is installed. Important For Windows XP Professional operating systems, the machine has to be restarted twice before the Active Directory Group Policy automatically installs the client on the computer. However, if the Active Directory is a Windows Server 2003 Active Directory, you can avoid the second restart after creating the policy by going to a command line on the client device and typing gpupdate /force. This command prompts you to restart, but it is necessary to restart the Windows XP Professional operating system only once. To uninstall the Client Windows Installer package from a computer or set of computers using Active Directory 1. On a machine that belongs to the Active Directory domain, launch the MMC and load the Active Directory Users and Computers snap-in or go to Start > Programs > Administrative Tools > Active Directory Users and Computers. 2. Right-click the MSI Test OU folder and select Properties. From the Group Policy tab, Edit the MetaFrame Presentation Server Client Install policy. Under Computer Configuration > Software Settings > Software Installation, rightclick the MetaFrame Presentation Server Client Package and select All Tasks > Remove. Ensure that Immediately Uninstall is checked, then click OK. 3. Restart the client device. As the system restarts, the Active Directory Group Policy automatically uninstalls the client from the computer. On the Windows Startup dialog status box, a message appears telling you that the client is being removed by Remote Managed Applications. This message appears before the logon dialog box appears. 4. Log on to the client device and verify that the client is completely removed from the client device.
83
To publish the Client Windows Installer package to a user or group of users in an Active Directory domain 1. On a machine that belongs to the Active Directory domain, launch the MMC and load the Active Directory Users and Computers snap-in or go to Start > Programs > Administrative Tools > Active Directory Users and Computers. 2. If you did not create a new test OU for previous client installations, create a new OU called MSI test and a new user called MSIuser. 3. In the Users folder, right-click MSIuser and select Move. Select the MSI Test OU folder and click OK. 4. Right-click the MSI Test OU and select Properties. Go to the Group Policy tab, highlight the MetaFrame Presentation Server Client Install policy, and click Edit. If you do not already have a MetaFrame Presentation Server Client Install policy from a previous example, create a new Group Policy Objects Link named MetaFrame Presentation Server Client Install. 5. Under User Configuration > Software Settings, right-click Software Installation and select New > Package. Browse to a network share containing the Ica32pkg.msi file, select the Windows Installer package, and set the deployment method to Published. Click OK. Software Installation displays a software package assignment for deployment. 6. Close all management windows and restart the client. 7. Log on to the client device as MSIuser. 8. Go to Add/Remove Programs and click Add New Programs. Verify that the client is included in the list and is ready to be added. Click Add and verify that the client is successfully installed. Note When using the Published method to make the client Windows Installer package available to users for installation, you can also initiate installation of the client by opening a file with the .ica extension.
Additional Notes
The client Windows Installer package can also be made available to users using the Assigned deployment method. If you assign a package to users, only the class IDs, extensions, and shortcuts are installed. When the user double-clicks a file with an .ica extension or double-clicks the shortcut, the client is fully installed for that user. If you answer Yes to the option Would you like to enable and automatically use your local user name and password for MetaFrame sessions from this client?, at least one restart is required following the installation of the client.
84
Troubleshooting
Publishing the Program Neighborhood Agent, Program Neighborhood, and the Web Client Windows Installer Packages to users is not supported on Windows Server 2000 or on Windows Server 2003. The only available method of using Active Directory to deploy clients to Windows Server 2000 or to Windows Server 2003 is to assign the package to a computer or to a group of computers.
Logging for a Client Windows Installer Package

Add an entry to the group policy for Windows Installer logging. 1. On a machine belonging to the Active Directory domain, launch the MMC and load the Active Directory Users and Computers snap-in. Alternatively, select Start > Programs > Administrative Tools > Active Directory Users and Computers. 2. Right-click the OU containing the target computers and select Properties. 3. Locate the Group Policy Tab, highlight the MetaFrame Presentation Server Client Install policy, and click Edit. Note If you created a separate OU for your target servers, create a new policy for the OU. 4. Within the Group Policy Editor for the policy, go to Computer Configuration > Administrative Templates > Windows Components > Windows Installer > Logging. Choose Enabled and select the required type of logging from the list of available options. 5. Enter "voicewarmup" to enable all possible logging. The log file is created in %systemroot%\Temp\msi*.log. Use the creation dates to differentiate log files.
Client Support on the Compaq iPaq

The MetaFrame Presentation Server Client is supported on Compaq iPaq devices. This device can be used as a client as well as a server farm management tool for high density servers. The recommended client is the Client for Windows CE ARM Version 7.x or later. Tip The client supports input from both the iPaq keyboard and character recognizer and transcriber within a session.
85
IPaq Configuration
Configure the following settings in the client for better performance with WAN connections: Disable sound Enable Enable Palette Device Limit session color depth to 256 colors Set the encryption level to Basic If possible, avoid accessing the client drives in the session
To run the Presentation Server Console in a client session, set the ICA settings as follows: Window Size: Absolute (in pixels). When you set the Allow Intermediate Zoom Factor, the client can dynamically zoom the session window. Window Color: 256. Data Compression: On.
The version of Internet Explorer that comes installed on the iPaq supports the Web Console if it is installed on the computer running MetaFrame Presentation Server. Some manual adjustment of the screen is necessary; however, the Web Console will be fully functional. To access the Citrix Web Console, enter the URL of the server where the Web Console is installed; for instance http://webserver/citrix/ webconsole/default.asp.
Wireless LAN (802.11b) and Traditional Network Connections

Any network settings selected for the iPaq should have minimal impact on session performance because of the high speeds and available bandwidth on most networks and wireless LANs. To alleviate poor connections or to provide better support for roaming on a wireless LAN, adjust the Keep Alive settings on the servers. This improves performance and helps prevent connections from being dropped on networks that contain dead spots. See the Citrix Knowledge Base article CTX708444 for configuration settings. You can access the Citrix Knowledge Base at http:// www.citrix.com/support. Note You may experience problems with iPaq (Windows CE / PocketPC) if deployed with earlier versions of the Web Interface (known as NFuse). This restriction was due to the lack of VBscript support in the PocketIE browser. The Web Interface for MetaFrame Presentation Server was tested with PocketPC and resolves these issues.
CHAPTER 5
Managing Server Farms
This chapter includes recommendations and best practices for managing MetaFrame Presentation Server.
Management Consoles for MetaFrame Presentation Server

The following sections discuss installing and using two management consoles that are used to manage MetaFrame Presentation Server: Presentation Server ConsoleYou can use the Presentation Server Console to connect to any server farm in your deployment and manage every aspect of the servers and farm. MetaFrame Access Suite ConsoleThis console extends your ability to manage your deployment by integrating consoles with the Microsoft Management Console (MMC). The Access Suite Console snaps into the MMC to provide a central location for managing your deployment. You can monitor, view, and run reports on multiple farms at the same time using the Access Suite Console.
Installing the Management Consoles

The following procedures explain how to install the Presentation Server Console, MetaFrame Access Suite Console, and also the Web Console. To install or upgrade the Presentation Server Console on standalone servers 1. Run Autorun from the MetaFrame Presentation Server CD. 2. Select Product Installations. 3. Select Install management consoles. 4. Accept the license agreement and follow the remaining dialog boxes to finish the installation of the Presentation Server Console.
To skip installation of the Presentation Server Console Use the following command to skip the installation of the Presentation Server Console during the MetaFrame Presentation Server installation:
msiexec /i mps.msi CTX_ADDLOCAL=all REINSTALL=CTX_MF_CMC
Note CTX_MF_CMC must be in upper case. To install the MetaFrame Access Suite Console on standalone servers 1. Run Autorun from the MetaFrame Presentation Server CD. 2. Select Product Installations. 3. Select Install management consoles. 4. Accept the license agreement and follow the remaining dialog boxes to finish the installation of the Access Suite Console. To install the Web Console on standalone servers 1. The following software must be installed and requirements met prior to installing the Web Console as a standalone application on a server: Internet Information Services 5.0 The MetaFrame Presentation Server 3.0 MFCOM SDK
2. Download Mpssdk.exe from the Citrix Web site to install MFCOM SDK and follow the instructions distributed with the SDK. 3. When prompted, enter the name of the computer running MetaFrame Presentation Server on which you want to run MFCOM. 4. Download Cwc.msi from the Citrix Web site and run msiexec /i cwc.msi CWC_MFCHECK="N". 5. Follow the wizard and complete the installation. To change the computer running MetaFrame Presentation Server to which the Web Console is pointed, run the command MFREG <servername> from a command prompt or from the run command. Note On Windows Server 2003, the Active Server Page service extension is prohibited by default. After installing the Web Console, you must allow Active Server Pages to use the Web Console. Refer to the Windows Server 2003 documentation for information about Active Server Pages.
(on master page) Header Chapter 5 Managing Server Farms
89
Using the Presentation Server Console

This section offers recommendations for using the Presentation Server Console in an enterprise environment.
Configuring Data Refresh

By default, automatic refresh of data is disabled in the console. Enabling automatic refresh increases CPU utilization and TCP traffic on the network. Opening multiple instances of the console in the same farm with automatic refresh enabled increases network congestion. However, if you want to enable automatic refresh, to view real-time data related to client connections and disconnections, for example, complete the following tasks: To enable automatic data refresh in the Presentation Server Console 1. Launch the console and log on to the farm. 2. Choose View > Preferences > User Data. 3. Select the automatic refresh options and enter the refresh rate. You can specify automatic refresh for server data, server folders, and application user data. 4. Click OK to apply the settings. Auto-refresh settings are saved on the server on which the console is running.
Performance Considerations
The console queries the data collector and the member servers for information such as running processes, connected users, and server loads. Depending on the size of the server farm, the console might affect performance in the server farm. Consider the following recommendations for managing performance issues with the console: In MetaFrame Presentation Server deployments with hundreds of servers and thousands of users, connect only one instance of the console to the farm for each zone. Connect the console to a data collector so that the console can query data directly, rather than through an intermediate server.
90
In large farms, the console can take a long time to refresh. The refresh time depends on the number of servers in the zone, the number of clients requesting connections, and the number of console instances that are requesting information. If the refresh query takes longer to complete than the specified automatic refresh interval, the data collector becomes overloaded. Make the automatic refresh interval for users and applications as long as is practical. Citrix recommends that you do not use the minimum refresh interval of 10 seconds. For best performance, disable automatic refresh and manually refresh the data as needed. When managing a farm across a congested WAN, run the console within a client session to a remote server rather than running it locally. Running the console from within a session reduces the amount of bandwidth consumed across the WAN and provides better performance from the console.
Using Server and Application Folders

The console allows you to group servers and applications into folders. There is no correlation between the console folders and Program Neighborhood folders that appear in application sets. The console folders help you manage a large number of servers and applications and increase performance because the console queries only the servers or applications in the current folder view. One way to increase response time is to divide the list of servers into folders based on their zones. Tip Viewing server details for large groups of servers may result in incomplete information being gathered for all of the servers. To reduce this occurrence, group servers in folders under the Servers node of the console.
Load Management
When you are selecting servers to configure for load management or attaching load evaluators in large farms, the console can take several minutes to populate the lists of available servers and selected servers. During this delay, the console does not always indicate that it is still retrieving information.
Chapter 5 Managing Server Farms
91
Delegated Administration
To allow a MetaFrame administrator to shadow using the console, enable the following permissions at a minimum: MetaFrame Administrators. Log on to the console Servers. View Server Information Sessions. View Session Management
Using the MetaFrame Access Suite Console

The MetaFrame Access Suite Console extends the ability to manage your MetaFrame Access Suite deployment by integrating consoles with the Microsoft Management Console (MMC). The Access Suite Console provides a central location for managing your MetaFrame Access Suite deployment. The MetaFrame Access Suite Console is supported on the following platforms: Windows Server 2000, Windows 2000 Professional, Windows XP, and Windows Server 2003. Microsoft .NET Framework version 1.1, available in the Support folder of the server CD, is required to install the Citrix MetaFrame Access Suite Console.
Recommendations
The following section provides some tips while using the Presentation Server Extension and MetaFrame Access Suite Console. The MetaFrame Access Suite Console uses pass-through authentication. Ensure that you are logged on to the client machine (where the console is installed) as a MetaFrame administrator for the farm. To avoid issues with credentials, it is advisable to ensure that the console machine belongs to the same domain as the farm member machines. While running discovery, only one server name is required for the farm. After the discovery is run for a certain farm, the discovered objects can be saved by saving the .msc (Microsoft Management Console) file. When the .Msc file is launched again, it will know about the discovered objects. When launching the MetaFrame Access Suite Console from the ICA tool bar or from the Start menu, the choice to save the msc file is not available because the console is saved automatically every time you close it.
92
Different Web-based tools, such as the Web Interface Console and Program Neighborhood Agent Console can be launched from the MetaFrame Access Suite Console. To launch each tool using a separate Internet Explorer window, change the following parameter in Internet Explorer. 1. Choose Tools > Internet Options > Advanced. 2. Under the Browsing section, clear Reuse windows for launching shortcuts.
Published applications are not automatically updated for the Applications node in the Presentation Server Extension. The discovery process needs to be run again for the update to take effect. If the MetaFrame Presentation Server Client is not installed on the machine, the option to shadow will not be available. Use My Views to save your preferences to save you time in the future. The MetaFrame Access Suite Console communicates with the server farm using the MetaFrame COM server service. When troubleshooting, ensure that this service is running on the server. When upgrading from MetaFrame XP Feature Release 1 to MetaFrame Presentation Server 3.0, the MetaFrame COM server service fails to start. To work around this issue, un-register and then re-register the MFCOM service. From the command line, execute the following: mfcom /unregserver mfcom /regserver
The Report Center

The Report Center in the MetaFrame Access Suite Console extends the reporting capabilities of Resource Manager and allows you to generate reports from a variety of real-time and historic data sources. A wizard helps you select the type of report, the data to be displayed, and the schedule for running the report. You can view the status of your scheduled reports and adjust the report parameters. The Report Center Extension enables MetaFrame administrators to generate HTML and CSV reports from a variety of real-time and historic data sources. Commands are available to view the reports from within the console and to make the reports more widely available by copying them to other locations or emailing them to selected recipients.
93
Each successful report and a copy of the specification used to generate it is stored locally on the machine running the Access Suite Console. For reports that you plan to run regularly, you can also generate named specifications recording report formats, farm information, data source details, required time period, and other report parameters. These can then be run manually or scheduled to run when required. If you want to generate reports from a MetaFrame Access Suite Console on a different machine, neither previous reports and their associated specifications, nor any named specification will be available from the new console. However, you can copy the necessary files to the machine running the new console and use them from there, as long as the second machine has access to the same farm and Resource Manager summary database as the first one.
Locations of User-Configured Report and Specification Files

The report and specifications files are stored in %APPDATA%\Citrix\ReportCenter on a server running Windows Server 2003. Specifications are stored as .spec files in appropriately named folders within:
%APPDATA%\Citrix\ReportCenter\CustomSettings\Specifications
Generated reports (and their associated unique specifications) are stored in:
%APPDATA%\Citrix\ReportCenter\DataSets
with each set of related files in a folder with a unique system-generated name (like 4C7F885E0EF72F30). Note Each report folder's set of files includes a Results.xml file containing the raw data used to generate the necessary HTML reports, graphs, and CSV files when the user requests them. Because the HTML and CSV folders and their contents are generated only when required, they may not be present when you examine the folders within DataSets. This is by design and both types of reports can always be generated when required. To move previously created specifications and reports to the new console, copy all the relevant folders to their corresponding position on the new machine. After discovery is run and the Specifications and Jobs displays refreshed, all the transferred items are listed as before.
Known Issue
In the Jobs display, the Elapsed Time values for the copied reports is incorrect. (This is due to the way Report Center calculates elapsed time. It uses the creation time of the files and this changed when they were copied to the new machine.)
94
Administering Server Farms

Renaming Servers
The name and security ID given to a server when it is installed and added to a server farm generally remains unchanged, but the server can be renamed if necessary. To rename a server in a server farm 1. In the Presentation Server Console: In the Add Administrators wizard, select Add local administrators to the MetaFrame Administrator node From the Select Tasks screen, choose Full Administration
2. Use chglogon /disable to prevent users from logging on to the server. 3. Remove the server to be renamed from any published applications assigned to that server. 4. Stop the Citrix IMA Service. 5. Change the name of the server. 6. Restart the server. 7. Log on to the console using the local administrator account. 8. Expand the Servers folder. 9. Remove the old server name from the consoles list of servers. 10. Add the new server name to the list of configured servers for published applications..
Changing the Farm Membership of Servers

To change the farm membership of computers running MetaFrame Presentation Server, you must use the chfarm command. The correct use of the chfarm command is discussed below. You can execute chfarm from: %ProgramFiles%\Citrix\system32\citrix\ima The MetaFrame Presentation Server CD A network image of the CD
95
Executing chfarm does the following on the host server: Attempts to remove the server from the farm. Stops the Citrix IMA Service. Configures the data store. Restarts the IMA Service.
Important Considerations when Using chfarm

Consider the following when you use chfarm: Running chfarm on a server hosting the data store (Microsoft Access, MSDE) deletes the current data store database. Do not use chfarm on the server hosting the Microsoft Access or MSDE database until all other servers in that farm are moved to a new server farm. Failure to follow this process causes errors when chfarm is executed on those servers that no longer have a valid data store. When you create a Microsoft Access data store on a server in a new server farm: 1. Run chfarm first on the server hosting the new data store. 2. Execute chfarm on other servers to be added to the new server farm. 3. Run chfarm on any servers that hosted an old data store. Close all connections to the Presentation Server Console on the local server before executing the chfarm command. Execute chfarm only on a functioning computer running MetaFrame Presentation Server. Do not execute chfarm on a server that was removed from a server farm. Misuse of chfarm can corrupt the data store. Before running the chfarm command on any server in the farm, back up the data store. If chfarm reports any error, continuing the process can corrupt the data store. Instead, click Cancel and use the procedure for restoring an unresponsive server. Using chfarm does not migrate published applications or any server settings to the new server farm.
Note For more information about using chfarm with MSDE databases, see the MetaFrame Presentation Server Administrators Guide.
96
Uninstalling Servers in Indirect Mode

If you uninstall MetaFrame Presentation Server from the server that directly accesses the data store, any servers that indirectly access the data store lose access to the data store. Information such as licensing and product codes is lost. Citrix recommends that you uninstall MetaFrame from the indirect servers first and the direct server last. Uninstalling MetaFrame from the direct server first prevents any other servers from being removed from the data store. To force an uninstall of MetaFrame when the data store cannot be accessed, use the following command: msiexec /x mfxp001.msi CTX_MF_FORCE_SUBSYSTEM_UNINSTALL=YES where /x is the uninstall switch and mfxp001.msi is the name and location of the MetaFrame Presentation Server Windows Installer package. For more information about how to pass properties to the Windows Installer, see the MetaFrame Presentation Server Administrators Guide.
Cycle Booting Servers

You do not have to restart computers running MetaFrame Presentation Servers regularly to increase performance. However, if you want to configure cycle booting, follow the guidelines in this section. When the Citrix IMA Service starts after you restart a server, it establishes a connection to the data store and performs various reads to update the local host cache. These reads can vary from a few hundred kilobytes of data to several megabytes of data, depending on the size and configuration of the server farm. To reduce the load on the data store and to reduce the Citrix IMA Service start time, Citrix recommends maintaining cycle boot groups of no more than 100 servers. In large server farms with hundreds of servers, or when the database hardware is not sufficient, restart servers in groups of approximately 50, with at least 10 minute intervals between groups. Tip If the Service Control Manager reports that the IMA Service could not be started after you restart a server, but the service eventually starts, ignore this message. The Service Control Manager has a time-out of six minutes. The IMA Service can take longer than six minutes to start because the load on the database exceeds the capabilities of the database hardware. To eliminate this message, try restarting fewer servers at the same time.
97
User-to-User Shadowing Best Practices

Users can shadow other users without requiring administrator rights. Multiple users from different locations can view presentations and training sessions, allowing oneto-many, many-to-one, and many-to-many online collaboration. Best practices for administering user-to-user shadowing include: Do not assume that members of the administrators group have shadowing rights by default. Although local administrators may have shadowing rights enabled in Connection Configuration, they cannot shadow users who were assigned to the policy by default. You must add the members of the local administrators group to the list of people with shadowing rights in the user policy. Although in general user policies take precedence over settings configured in other MetaFrame utilities, shadowing is an exception. If shadowing is disabled during MetaFrame Presentation Server Setup or disabled in Connection Configuration for a particular connection, user policies with shadowing enabled have no effect. Apply Service Pack 3 for Windows Server 2000 or later, or apply Microsoft Hotfix Q281951 to disallow unwanted cross-server shadowing after configuring shadow policies in the Presentation Server Console. You can configure and manage user shadowing in Connection Configuration, during installation of MetaFrame Presentation Server, and using the shadow policies. To avoid unnecessary administration, use shadow policies as a central control for shadow settings. Exceptions to this rule include the need to adhere to local governmental laws that stipulate certain privacy requirements.
98
Installation Manager Recommendations

Installation Manager is available as a component with MetaFrame Presentation Server, Enterprise Edition. For more information about using Installation Manager, see the Installation Manager Administrators Guide.
Group Size Considerations

With Installation Manager, you can install applications to predefined groups of servers. When you create server groups, you can install applications to a specific set of servers quickly and efficiently. Creating server groups eliminates the need to manually select individual servers with every installation. When you create a server group for application deployment, consider the following: How you want to use your server groups Keep your group size reasonable (see table below)
Small Application size Recommended group size < 5 MB < 100 Medium 520MB < 80 Large > 20MB < 50
Installation Manager deploys applications to servers simultaneously, but does not use multicasting. Each target server reads the data from the location where the installation package is stored. Large installation packages (for example, Microsoft Office XP) copy more than 200 megabytes of data from the package server to the target server. The amount of data transferred across the network is:
D = I x N
Where: D = the amount of data I = the size of the installation N = the number of target servers Smaller group sizes are needed when installing applications that require a server to restart. Installations occur simultaneously and all of the servers will restart at nearly the same time. Because of this, a transient load is placed on the data store. The capacity of the data store server and the internetworking infrastructure greatly affect the performance of the network when you are deploying applications and restarting servers. The table above contains suggestions based on a 100Mbps switched Ethernet infrastructure. Cluster groups logically. Deployment is more efficient if several logical groups are created that match the schema of the overall enterprise. One group might contain servers that host standard business applications, another group can host engineering applications, and so on.
99
Network Setup
The network setup recommendations for MetaFrame Presentation Server also apply to Installation Manager. The more efficient and capable the network, the quicker and easier applications are to install. The use of switches, high-speed backbones, and high-speed disk drives greatly enhance the ability of Installation Manager to install applications to large server farms efficiently.
Application Deployment Issues with Installation Manager

This section contains issues you should consider when using Installation Manager in conjunction with MetaFrame Presentation Server to deploy applications.
Package Server
The following package server recommendations help ensure a clean package file: Keep the package server as similar in configuration (both hardware and software) as possible to the target server. Make the package server as clean as possible. Roll back previously installed applications before recording. For additional information, see the Installation Manager Administrators Guide. Do not run other applications while an image is recording. Stop any unnecessary background processes before recording an installation using Packager, including the IMA Service, especially if a manual install needs to be performed. Background processes and file changes may be recorded by Packager and could overwrite important files such as the local access database files used by the IMA Service. Do not package applications through an ICA session.
Deployment Server
The deployment server is the server where the package and installation files reside. All target servers communicate with this server to get the files and information required to install the application. The following recommendations offer helpful information about deploying packages: Put the deployment server on a server grade machine. Each target server requests the same file set from the deployment server. The load on the deployment server can be high. The deployment server must be capable of handling the combined load of the servers in a deployment group connecting and requesting information simultaneously.
100
Put the deployment server on a 100Mbps switched Ethernet port. Running the deployment server in a shared collision domain increases latency. Connections can be refused due to time-out or server overload. This problem increases on a busy network and when many servers are targeted for a single installation.
Network Share Account

he network share account allows the target server to have access rights to the network share point where the package is located. To set up a network share account 1. Right-click the Citrix Installation Manager node in the Presentation Server Console and choose Properties. 2. Type the domain account and password that will be used to access network shares. When running an unattended or silent installation, the network share account must have administrator privileges on the target server. Important Installation Manager supports only Windows domain authentication models; it does not support workgroups.
Package Group Deployment

Package groups are used to deploy multiple packages to the same target server or server groups in one schedule. Consider the following points when deploying package groups: To simplify deployment, create package groups from similar packages. After the package groups are deployed, do not make changes such as adding packages to or deleting packages from the package group. Making changes to the package group may result in uninstall errors. If you need to deploy new packages, create a new package group and then deploy it. If changes are made to a deployed package group, the Job status tab of the Job Properties window does not report installation status for the deleted or newly added package. After scheduling an installation of a package group, do not make changes to the package group contents, because it may result in temporarily inaccurate job result information. Refresh the console to correct this behavior.
101
Job Scheduling and Staggered Installations

The following recommendations can lower bandwidth consumption, allowing the farm to function without a loss of performance. Schedule the installation of packages during times of low network usage Installation Manager supports staggered installations of package groups. Installation window options and multiple dates can be used for package groups to schedule the installation job during a certain time period within specific days. Consider the following recommendations when staggering installations: Schedule the installation window during times of low network usage. Select multiple dates if the installation of the packages in a package group requires multiple dates for installation. The packages that havent been installed will begin installation in the same installation window on the selected dates.
Important A staggered installation of a single package is not supported.
User-Specified Reboot
The behavior of the server when it is restarted when deploying packages is affected by three options: Do not reboot servers if any user sessions are open. If you set this option before deploying packages, the target server will not restart if a user connection to the target server is detected even though the package deployment requires a restart. To finish the deployment, the target server must be restarted manually after the user logs off. This can be overwritten if you set the Force reboot after job option (see below) during the scheduling of the installation of a package. Delay reboot until the end of job. If you deploy a package group and one or more of the applications requires a restart at the end of the deployment, you can set the Delay reboot until the end of Job option when you schedule the installation. This postpones the restart until the end of the entire package group deployment. Force reboot after job. If you set this option, the server restarts after the package is deployed. Any active user sessions receive a message from the server asking them to log off. The messages are sent at five minute intervals for 15 minutes, and then the server restarts. Any active sessions are terminated.
102
Recording Applications during Installation

Installation Manager Packager monitors the changes that occur on the packaging server when an application is installed, records the changes as installation commands in a script, and then packages all application files so you can deploy the package on target servers. Read the list below for guidance about recording applications: Installation Manager Packager cannot resume package recording if the server is restarted while you are installing an application. When recording an application that prompts the user for a restart, cancel the restart and stop the recording on the Packager. Installation Manager Packager cannot record an application that forces a restart that cannot be canceled by the user. Installation Manager Packager cannot record an application that requires multiple server restarts during installation (see next point). If an application has an unattended installation program, the Packager creates a package from the unattended installation program only. The Packager will not record the actual installation. When using the Packager to package the application, choose the Add Unattended Program option to package an unattended install program and any other necessary files. This method allows applications that require one or more restarts during installation to be packaged using Installation Manager.
Application Deployment over a WAN

Do not deploy applications to target servers across a WAN. The amount of bandwidth and time required to install an application over a WAN can congest the network for extended periods of time, which can result in networking time-outs. To avoid this situation, take the following steps: Create a new application package at the remote site where the application is to be deployed If there is more than one remote target server, copy the package and the associated installation files over the WAN once; deploy it on that segment
103
Resource Manager Recommendations

Resource Manager is available as a component with MetaFrame Presentation Server, Enterprise Edition. For more information about using Resource Manager, see the Resource Manager Administrators Guide. Resource Manager stores all of its configurations, settings, thresholds, and metrics in the data store and in the local host cache. Resource Manager contains a local Resource Manager database and a Farm Metric Server.
Local Resource Manager Database

Servers with Resource Manager installed store their own metric information in a local Microsoft Access Jet Database called RMLocalDatabase.mdb that is in %ProgramFiles%\Citrix\Citrix Resource Manager\LocalDB. This database is compacted when the IMA Service is started and once a day while the IMA Service is running. License Server Connection Failure is not a default metric. To set up license server connection failure alerts, you must add the License Server Connection Failure perfmon counter from the Citrix MetaFrame Presentation Server object to the server you want to monitor.
Farm Metric Server

The Farm Metric Server is used for application and server monitoring. The Farm Metric Server gathers its information from the data collector. Because the Farm Metric Server accesses the data collector every 15 seconds, configuring data collectors to also perform the role of the Farm Metric Server and the backup Farm Metric Server can improve performance. The Farm Metric Server can also perform the role of the database connection server. Although Resource Manager can track any Performance Monitor counter as a server metric, Citrix recommends you limit the total number of metrics tracked on a server to fewer than 50. Important In a farm that contains servers running various MetaFrame XP feature release levels, the primary Farm Metric Server must be running MetaFrame XP Feature Release 2 or later or you will encounter errors with the summary database.
104
Alerts
Resource Manager can send alerts to users or groups of users. The following list offers tips for using alerts: If your email service does not send alerts, confirm that you can access the mail server using the configured account, and verify that the mail client being used (for example, Microsoft Outlook) is the default mail client for the server. To enable Resource Manager to send Simple Network Management Protocol (SNMP) traps for application alerts, SNMP must be set up on the primary and backup Farm Metric Servers.
Summary Database
The summary database is used for storing historical data from servers in the farm. You can produce reports, such as billing, based on the stored data. The reports can use several criteria, such as CPU usage or application usage. Consider the following when using the summary database: Each farm that requires the summary database must have a database connection server, that writes the metric information from other farm servers to the summary database. The connection between the database connection server and the database where the metric information is stored is defined by a system Data Source Name (DSN) called RMSummaryDatabase. Data is stored on each server in summary files. Summary files are updated whenever a session or process terminates, whenever an event occurs, and once an hour for metrics. Each Resource Manager server in the farm caches its own summary data locally for 24 hours and then transmits it to the database connection server at a configurable time of day, preferably at off-peak hours. Reports on data in the summary database can be generated by the Presentation Server Console in a manner similar to those available for the local database for each server.
Tip Report templates for use with Crystal Reports software are available from the Citrix Web site at http://www.citrix.com.
Tip By default, metrics are stored in the summary database. You can change this on the Threshold Configuration screen. You can also specify the time of day or week that metrics are recorded in the summary database on a per server basis.
105
Data Purging
You can control how long data is stored in the summary database by purging the database after a set period. You can also turn off purging, in which case all data is kept for an indefinite period. Note Active sessions and the processes associated with them are not purged from the database whether they are or are not billed.
Note Processes are purged only if their parent session record is purged (that is, to maintain data integrity, it is not desirable to purge only process records).
Summary Files
Summary files are written only when the summary database is enabled in the farm. Each file is given a random name when it is created. At creation time, a header is written to the file and this header contains the following fields: Schema Version, Servers Name, Servers Domain, and Farm Name. Additional records are written to the file based on these events: When a process terminates, a process record is written to the file Every 60 minutes a metric record is written for each metric configured to store summary data When a session is started, a session record is written When a session ends, a session record is written When an event is generated, an event record is written
Note Only Server Up and Server Down events are stored. The server down event is generated by the Farm Metric Server if a server cannot be contacted. The server up event is generated by the server when the IMA Service is restarted.
Note Summary files can be copied manually to the database connection server or other servers before the daily update starts. The header information in the summary file ensures the records are associated with the correct server.
106
Folders and Zones

MetaFrame XP Feature Release 3 and later provides the ability to record which folders and zone a server is in at the time of writing data to the summary file. This information can be used to group servers when creating reports outside of the console. By default, the summary period for server metrics is one hour. If either the folder or zone changes for a server, just before writing the next set of server metric records to the summary file, a new folder and zone record is written. All following server metric records are associated with this new Folder and Zone record. This means that if the folder or zone changes multiple times within the summary period, only the one record is written prior to writing the new server metric records to the summary file. All other folder and zone changes will go unnoticed.
Updates to the Database Connection Server

Uploads to the database connection server are initiated by the individual servers in the farm based on the upload time configured. The following considerations apply when uploading to the database connection server: Only summary files that are not currently active are uploaded to the database connection server. If the database connection server receives another request to upload a summary file, it logs a duplicate request and the old request is deleted from the list. This can occur if updates are taking longer than 24 hours. The default setting for concurrent uploads is 10. The default setting for concurrent imports is one. This reduces the requirement for database connection licenses. Importing a record into the summary database twice will not cause duplicate entries. If a summary file takes longer than 30 minutes to transfer, the database connection server assumes it timed out and deletes any record of requesting it. This file is not retransmitted until the next update period 24 hours later unless a manual update is invoked. If the uploaded summary file eventually reaches the database connection server after it timed out, it is ignored and deleted.
107
Upload time is compared to the server time; the servers time zone is used to determine if uploads should begin. Example: A server farm has the majority of the machines in the East Coast of the USA and a smaller zone in the UK with the upload time set to 1 AM. The servers in the USA begin to upload files at 1 AM EST, while machines in the UK start their uploads at 1 AM UK time, which is 8 PM EST. A duplicate upload request message in the database connection server log is an indicator of problems in the system but is not an error. The duplicate request will not cause any invalid or duplicate data in the summary database and should be treated as an informational message. An example that could result in a duplicate upload request would be a manual upload requested when an upload is already under way, either a timed update or a previously requested manual request; uploads taking more than 24 hours to complete, resulting in the next daily upload beginning before the previous one has completed.
SDB_Heuristics Table
With large amounts of data in a summary database (for example, of the gigabyte order), the console may be unable to display very large reports. The sdb_heuristics table in the summary database is used by Resource Manager to ensure that any summary report to be generated can be displayed within the console. By default, the table contains the following entries and values:
PK_HEURISTIC BILL_HTML_MAX (characters) MAXIMUM_PRACTICAL_HTML_BYTES (bytes) PROCESSES_PER_SESSION SESSIONS_PER_USER_PER_DAY USERSUM_HTML_BYTES_PER_PROCESS HEURVALUE 72500 1048576 10 5 128
When the administrator specifies various report options in the summary report generation dialog boxes, Resource Manager performs calculations based upon these options, and the entries in the SDB_HEURISTICS table, to estimate the size of the report.
108
If the estimated value is greater than MAXIMUM_PRACTICAL_HTML_BYTES (in the case of Process, User, and Server Summary reports) and BILL_HTML_MAX (in the case of Billing reports), a warning message appears, stating that the report may be too large to be displayed within the console. You can cancel the report generation or continue. If you continue and the report cannot be displayed, an error message appears. You can save the report directly to disk and view the report using another application capable of viewing HTML files (for example, Internet Explorer). The values in the table can be modified to reflect the farm usage and control the size of the reports. Note The number of report windows open determines whether or not the console can display further reports. Each time a report is returned to the console, a calculation is performed that subtracts the size of the report (in bytes for Summary reports and characters for Billing reports) from the respective maximum values in the table producing an available size figure for subsequent reports. Accordingly, you are more likely to receive a warning that a report cannot be displayed if multiple reports are open. After a report is closed, its size is returned to the available size figure for future reports.
Note If the summary database is not available, all reports (Current Process, Current User, and Server Snapshot) will make use of a hard-coded default value of 1048576 bytes (= 524288 characters).
109
Network Manager Issues

Network Manager is available as a component with MetaFrame Presentation Server, Enterprise Edition. For more information about using Network Manager, see the Network Manager Administrators Guide. In Tivoli NetView, the server icon is sometimes green, while the subsystem icons are light blue. In this case, highlight the green server icon and perform a status update to update the status of the subsystem icons. This is a Tivoli NetView IP map issue that occurs when NetView is left running over long periods of time. When using Tivoli NetView, if the Trapd.exe process is killed while the Metadis.exe and Metalan.exe services are running, each service acquires 50% CPU utilization. The services do not return to normal CPU levels until Trapd.exe is restarted. This is a known issue with Tivoli NetView. In HP Network Node Manager, a link-down status is represented by a blue icon. This occurs only if the server cannot be contacted by the console when the status update is performed. In Tivoli NetView, a link-down status is displayed in red. When Network Manager is uninstalled from one of the SNMP management consoles, by default the Network Manager icons stay in the IP map until they are deleted and the nodes are rediscovered. For Computer Associates Unicenter to be able to re-class Windows servers as MetaFrame servers it is necessary to configure and enable Security Management (secadmin), otherwise a message similar to Security authorization failure. The action has been denied will appear in the Unicenter event log (conlog). In Windows Server 2000, the default security setting for the SNMP service is read only. In Windows NT 4.0 Terminal Services Edition, it is read/write. Network administrators cannot perform SET operations (logoff, disconnect, send message, and terminate process) from Network Manager consoles unless the security setting is read/create. Action: Change security to read/create.
The following are known issues and recommendations for the SNMP Agent:
110
Microsoft has released security bulletins for SNMP security risks. Apply the following bulletins to all MetaFrame servers and instances of the Presentation Server Console: MS00-095: Windows NT 4.0 MS00-096: Windows Server 2000 MS02-006: Windows NT 4.0 Terminal Services Edition, Windows Server 2000, and Windows XP
Tip Enable or disable the SNMP Agent when farm activity is low. For Windows Server 2003, the SNMP service will by default accept only SNMP messages from local host. Windows Server 2000 and previous operating systems allowed any SNMP messages from any host from the start. Action: Add more servers to the list of allowed hosts (recommended) or allow messages from any host (not secure). Older versions of Network Manager had the ability to shut down or restart a MetaFrame server. To comply with Microsoft SNMP security, these options were removed in newer versions of the plug-ins. Any attempt to restart a MetaFrame server with an older version of a Network Manager plug-in will be denied.
111
Using Visual Basic Scripts to Access the WMI Provider

Windows Management Instrumentation (WMI) is the standard management infrastructure included as part of Microsoft Windows Server 2000 and Windows Server 2003. The WMI Provider for MetaFrame Presentation Server supplies information about servers and server farms. This information is displayed by the MetaFrame Presentation Server Management Pack, which is a plug-in to Microsoft Operations Manager (MOM). You must install the WMI Provider on each server you want to monitor with MOM. Another means of accessing information provided through the WMI Provider is by using Visual Basic scripting. The scripts provided in this section are intended as starting points that can be modified to meet specific requirements. Note The data returned by the WMI Provider is read-only. This section assumes familiarity with WMI and Microsoft Operations Framework (MOF) files. Citrix recommends that you download a copy of the Microsoft WMI tools including CIM studio from the Microsoft Web site.
WMI Provider Schema

The schema for the WMI Provider is as follows: ClassesVersion 1.0 of the WMI Provider has 45 classes that fall into two basic types: Citrix classesThe information contained in these classes applies to all servers in the farm MetaFrame classesThe information relates to a specific server in the farm
SubclassesMany of the classes are linked to subclasses; for example, the Citrix_Server class has MetaFrame_Server as a subclass. EventsFourteen MetaFrame events relate to sessions, folders, applications, and servers. One Citrix event relates to zone elections. AssociatorsMany classes have associations between them. You might use these when looking for a particular piece of data that is associated with the current class instance you retrieved. For example, if you are viewing information for a MetaFrame server, you may want to know what licenses were explicitly assigned to that server. You can use the Citrix_LicensesAssignedToServer associator to find this information.
112
MethodsThe WMI Provider provides three methods to manage sessions, along with methods to clear the Zone Election and disconnected session happening data. Every time there is a zone election in the farm, WMI stores details about the zone election in a file. Every time a user disconnects from the server, WMI records when the disconnection took place. Over a period of time this file can become quite large or contain outdated information. The WMI provider can remove all the zone election/disconnection data, or just data recorded before a certain date.
Script Coding Styles

You can use three different styles of coding to access WMI information. The scripts listed here generally use enumeration, but this is not necessarily the best or the only way. EnumerationThis method gets all the instances of data in a class. It can be used when all the instances are needed and not one specific piece of data. For example, it can be used to list all the servers in a farm or all the zones in a farm. GetObjectThis is used to extract a specific piece of data for example, the number of grace days left for a specific license number, as opposed to listing all Citrix licenses and examining the grace days for them all. One issue with the GetObject style is the limitation of having to access WMI employing the user the script is running as. WQLThis style is similar to SQL, though it has some limitations because it is a subset of the language. One particular limitation is the lack of the LIKE operator that may mean enumeration is needed instead. For example, the administrator cannot specify a list of servers whose IP address is 10.30.32.xxx.
Permissions
It is important to note that you generally need administrator privileges to access WMI information, both as a machine administrator and as a Citrix administrator. The WMI Provider does respect the restricted administrator privileges that can be set in the console. View-only administrators cannot log off or disconnect sessions using the WMI Provider even if they are local server administrators. Because scripts will generally be running with administrator privileges, it may not be possible to stop scripts from taking undesired actions, so scripts that disconnect, send messages, or log off sessions need to be well tested before running them in a production environment.
113
Script Methods
Manging SessionsLogoff, Disconnect, and SendMessage
The three methods available for session management are Disconnect, Logoff, and Sendmessage. These operate the same way that the Presentation Server Console manages ICA sessions. Note that Metaframe_Session returns all the current sessions, including the console and listener sessions, so even if there are no active sessions on a server, five sessions are listed. When using MetaFrame_Session, check that the correct number of sessions for real sessions exists by checking the SessionState and SessionName properties. The value returned by SessionState is numeric; this can be mapped using the MetaFrame.MOF file. Open the MetaFrame.MOF file and look for MetaFrame_Session to find an entry: [Values {.... This contains textual translations of the numeric data. In this case the list is zero-based, translating to:
0 1 2 3 4 5 6 7 8 9 User logged on Connected to client Connecting to client Shadowing other session Logged on but no client Waiting for connection Listening for connection Reset in progress Down due to error Initializing
Note that a Session State of 1 indicates that a client is waiting for a logon.
114
Purging Event DataPurgeAllHappenings and PurgeAllHappeningsBefore

MetaFrame Disconnect Events and Zone Elections are stored in the CIM repository. This file grows unless you purge it using the PurgeAllHappenings or PurgeAllHappeningsBefore methods. Note To use the PurgeHappeningsBefore method, specify the date in Universal Time Code (UTC) format. The following script purges all disconnected session happening events for server SERVER01:
Option Explicit Dim sReturnValue Dim objresult Dim Service Dim DatePast Dim ProviderKey Dim inParam Dim NameSpaceLocator Dim strServerName StrServerName="SERVER01" Set NameSpaceLocator = CreateObject ("WbemScripting.SWbemLocator") Set service = NameSpaceLocator.ConnectServer (strServerName, "root\Citrix") service.Security_.ImpersonationLevel = 3 ' use the current Windows NT credentials Set ProviderKey = Service.Get("MetaFrame_Purge_ DisconnectedSession_Happening") Set objresult = ProviderKey.ExecMethod_ ("PurgeAllHappenings") sReturnValue = objresult.Properties_("ReturnValue").Value msgbox sReturnValue & " " & " events were purged ", 0, "Number of events purged"
To keep data for a specific amount of time, for example analyzing disconnect data over the last seven days, use the PurgeHappeningsBefore method. In Visual Basic 6, use the format$ function to convert to UTC, but in VBS, chop up the string and provide it in the yyyymmddHHMMSS format with the .000000000 piece appended to the end.

Set ProviderKey = Service.Get("MetaFrame_Purge_ DisconnectedSession_Happening") Set inParam = ProviderKey.Methods_("PurgeHappeningsBefore"). InParameters.SpawnInstance_() sDateTime = Format$(myDate, "yyyymmddHHMMSS") & ".000000-000" inParam.Properties_.Add("dtPurge", wbemCimtypeDatetime). Value = sDateTime Set objresult = ProviderKey.ExecMethod_ ("PurgeHappeningsBefore", inParam)
115
Performing Tasks
Converting Numeric Data to MOF Strings
To display the MOF string equivalent of data from the Provider, use the Qualifiers_(Values) property to convert this data, where there is an appropriate string in the MOF file:
strState = MFSession.Properties_("SessionState").Qualifiers_ ("Values").Value(MFSession.SessionState)
To list all sessions on the server with the MOF string value rather than the numeric one:
option explicit Dim NameSpaceLocator Dim Service Dim strSession Dim objMFSessions Dim MFSessions Dim MFSession Dim serverName Dim strSessionID Dim strSessionList Dim strState Set NameSpaceLocator = CreateObject("WbemScripting. SWbemLocator") serverName=inputBox ("Please enter a server in the farm you want to list Sessions") if serverName ="" then wscript.quit end if Set service = NameSpaceLocator.ConnectServer("server01", "root\Citrix") service.Security_.ImpersonationLevel = 3 ' use the current Windows NT credentials Set objMFSessions=Service.get("MetaFrame_Session") set MFSessions=objMFSessions.instances_ For each MFSession in MFSessions
116

strSessionID=MFSession.Properties_("SessionID") strState=MFSession.Properties_("SessionState").Qualifiers_ ("Values").Value(MFSession.SessionState) strSessionList=strSessionList & strSessionID & " : " & strState & vbCRLF next Wscript.echo "Session List" & vbCRLF & strSessionList
Connecting to a Remote Server as a Different User

If you are not logged on as an administrator, but you need to run WMI scripts as a different user on a remote machine, specify a particular user name and password:
Set service=NameSpaceLocator.ConnectServer(serverName,"root\ Citrix",strUserName,strPassword Specify a domain as part of the username, e.g. StrUsername="Domain\Username"
Using Associators to Retrieve Data

Associators allow data retrieval based upon data from a different class. For example, you may want to find out which clients are connected to a particular server, or what applications are currently running. When listing all applications running on a server, note that published desktops are not listed. In this instance, the associator between Citrix_Server and MetaFrame_Application is MetaFrame_ApplicationsRunningOnServer.
option explicit Dim NameSpaceLocator Dim Service Dim serverName Dim Citrix_Servers Dim ClassKey Dim server Dim AKey Dim strAssociator Dim AppAssociators Set NameSpaceLocator = CreateObject("WbemScripting. SWbemLocator") Dim MetaFrameApp Dim strResult serverName=inputBox ("Please enter a server in the farm you want to check") if serverName ="" then wscript.quit end if

Set service = NameSpaceLocator.ConnectServer(serverName, "root\Citrix") service.Security_.ImpersonationLevel = 3 ' use the current Windows NT credentials
117
Set ClassKey = service.Get("Citrix_Server") AKey="Metaframe_ApplicationsRunningOnServer" Dim AppCount Set Citrix_Servers = ClassKey.Instances_ for each Server in Citrix_Servers strAssociator="MetaFrame_Server.ServerName=" & chr(34) & server.ServerName & chr(34) set AppAssociators=service.AssociatorsOf (strAssociator,Akey) strResult=Server.Properties_("ServerName") & vbCRLF on error resume next ' following line can fail if no associators appcount=AppAssociators.count if appcount>0 then for Each MetaFrameApp in AppAssociators strResult=strResult & MetaFrameApp. Properties_("BrowserName") & vbCRLF next wscript.echo strResult else Wscript.echo "No applications running on " & strResult end if next
To obtain a list of applications on a server, start with the MetaFrame_Server class, then use the MetaFrame_ApplicationsRunningOnServer associators, then the MetaFrame_Application class. Note The on error resume next following line can fail if no associators line is relevant if a server has no applications published (WMI will return an error message that you can ignore).
118
Monitoring Citrix and MetaFrame Events

Citrix and MetaFrame events are more advanced, because they need an application to receive them. Such an application is often referred to as a consumer. While Visual Basic Scripting can be used, a GUI application is often more suitable. However, the code is fairly similar between the two, so specify the events you want to subscribe to (listen for), then set up an event sink (specify where you want the information to be sent). A dialog box is displayed that allows you to halt the script (you click OK to halt the script). Run the script, then connect to the server. Try disconnecting the session. The number returned can be converted to a text string by looking in the MetaFrame MOF file. The script receives all MetaFrame events; change the WQL to limit the type of events that are needed. Zone Elections are CitrixEvent, so to monitor these, change the strQuery to Select * from CitrixEvent. To end the script, click OK in the message box saying Click OK to end. The message box is there to stop the script terminating before receiving any events. It is useful to store event data in a database for use in reports about how a server is being used or how many zone elections are taking place. If a large number of disconnects occur in a short space of time, there may be a network problem. Over time you can profile when users log on and when a server is likely to be overloaded.
Option Explicit dim strQuery dim objEvent Dim NameSpaceLocator dim service dim objSink dim objConnector Dim ServerName serverName=inputBox ("Please enter a server in the farm you want to check") if serverName ="" then wscript.quit end if strQuery="Select * from MetaFrameEvent" set objConnector=GetObject("winmgmts:{impersonationLevel= impersonate}!//" & servername & "/root/Citrix")

set objSink= Wscript.CreateObject("Wbemscripting. SWbemSink","MYSINK_") objConnector.ExecNotificationQueryAsync objSink, strQuery MsgBox "Click ok to end" Sub Dim Dim Dim Dim Dim MYSINK_OnObjectReady(objSvc, objAsynContext) PropertySet PropertyInstance QualifierSet strResult eventType
119
set PropertySet=objSvc.properties_ for each PropertyInstance in PropertySet strResult = strResult & PropertyInstance.Name & " = " & PropertyInstance.Value & vbCRLF Set QualifierSet = propertyInstance.Qualifiers_ EventType = EventType & QualifierSet.Item("values").Value(propertyInstance.Value) Next Wscript.echo "Event took place" & vbCRLF & strResult & vbCRLF & EventType End sub
120
Sample Scripts
List All Servers in a Farm
The following script lists all servers in a farm. The script prompts for a server name and then retrieves the details from the Citrix_Server class for that server and all the other servers in the same farm. It is not necessary for the specified server to be a data collector. If possible, run the script against a server that is the only server in the farm and then a server that is part of a group of servers in the farm. The script performs four tasks: Establishes a connection to the Citrix WMI Namespace on the server, using the current Windows NT credentials Obtains a list of all instances of data for the Citrix_Server class For each Citrix server, lists all the property names and the values for the Citrix_Server class Displays the result in a message box
Save the script as Serverlist.vbs

Option Explicit Dim NameSpaceLocator ' Top level handle to the WMI Namespace to begin Dim Service ' a pointer to the Citrix namespace Dim ServerName ' The server to connect to Dim ClassProperty ' A specific property in the class Dim ClassPropertySet ' The set of properties in the class
The following line needs administrator permissions, so run the script as an administrator:
Set NameSpaceLocator = CreateObject("WbemScripting. SWbemLocator") serverName=inputBox ("Please enter a server in the farm you want to check") if serverName<>"" then ' Connect to the Citrix specific namespace in WMI Set service = NameSpaceLocator.ConnectServer(serverName, "root\Citrix") service.Security_.ImpersonationLevel = 3 ' use the current Windows NT credentials Dim Dim Dim Dim Citrix_Servers ' the list of Citrix servers in the farm server ' a single Citrix server ClassKey ' A pointer to the Citrix_Server class to use strResult ' a string for the message box
121
Set ClassKey = service.Get("Citrix_Server") ' now get a list of all the data (instances) in this class Set Citrix_Servers = ClassKey.Instances_ strResult="Farm has " & ClassKey.instances_.count & " servers in it." & vbCRLF ' Use enumeration to get a list of all the servers in this class ' and all the properties in the Citrix_Server class For Each server In Citrix_Servers set ClassPropertySet = server.Properties_ for each ClassProperty in ClassPropertySet strResult=strResult & ClassProperty.Name & " = " & classProperty.Value & chr(9) next strResult = strResult & vbCRLF Next wscript.echo strResult End if
Note There is no error handling in this script. It assumes that the right server name was provided and that WMI Provider is installed on the server. If there is more than one server in the farm, the server used to connect will have more properties than the other servers, such as NumberOfActiveSessions because the Citrix_Server Class has MetaFrame_Server as a subclass. Here is an example of explicitly specifying a particular property:
For Each server in Citrix_Servers StrResult =StrResult &server.Properties_ ("ServerName")& " " & server.Properties_("IPAddress") Next
122
Log off All Sessions on a Single Server

In a similar fashion to listing servers, this script enumerates all the sessions on a server and logs them off. Note that the Windows NT console is listed and the script attempts to log that off. To avoid this, check the SessionName property for Console.
option explicit Dim NameSpaceLocator Dim Service Dim strSession Dim objMFSessions Dim MFSessions Dim MFSession Dim serverName Dim strSessionID Set NameSpaceLocator = CreateObject("WbemScripting. SWbemLocator") serverName=inputBox ("Please enter a server in the farm you want to Logoff Sessions") if serverName ="" then wscript.quit end if Set service = NameSpaceLocator.ConnectServer(serverName, "root\Citrix") service.Security_.ImpersonationLevel = 3 ' use the current Windows NT credentials Set objMFSessions=Service.get("MetaFrame_Session") set MFSessions=objMFSessions.instances_ For each MFSession in MFSessions Select Case MFSession.Properties_("SessionState") Case 0,3,4 strSessionID=MFSession.Properties_("SessionID") wscript.echo strSessionID MFSession.ExecMethod_("Logoff") end select next
Note To log off all sessions, you may need to run the script more than once, because a user may log on while the script is running. By combining this script with the server list script, you can log off all sessions on all servers in the farm.
123
Sending Messages to Sessions

The script for sending messages to sessions is similar, but has an extra piece of code to handle the message title and message. A method may take a different number of parameters and data types; in this instance they are both strings.
option explicit Dim NameSpaceLocator Dim Service dim strSession Dim objMFSessions Dim MFSessions Dim MFSession Dim serverName Dim objMethod Dim inParam dim outParam Set NameSpaceLocator = CreateObject("WbemScripting. SWbemLocator") serverName=inputBox ("Please enter a server in the farm you want to check") if serverName ="" then wscript.quit end if Set service = NameSpaceLocator.ConnectServer(serverName, "root\Citrix") service.Security_.ImpersonationLevel = 3 ' use the current Windows NT credentials Set objMFSessions=Service.get("MetaFrame_Session") set MFSessions=objMFSessions.instances_ For each MFSession in MFSessions Select Case MFSession.Properties_("SessionState") Case 0,3 ' logged on or shadowing sessions only set ObjMethod=MFSession.Methods_("SendMessage") set inparam=ObjMethod.Inparameters.SpawnInstance_() inParam.Properties_.Add("message",vbString).Value="Please logoff, system going down in 5 minutes." inParam.properties_.Add("Title",vbString).Value="Server Warning" set outParam=MFSession.ExecMethod_("SendMessage", inParam) end select Next
124
Porting to Visual Basic 6

You can port the code examples provided above to Visual Basic 6, but there are extra requirements in Visual Basic (for example, specifying data types) that Visual Basic Scripting hides. Visual Basic does, however, make debugging easier, especially as scripts begin to grow in length. If you need a Web view of the data, you could consider porting to Active Server Pages. The scripts were written for the Windows Server 2000 platform. Visual Basic.NET can use the Visual Basic Scripting style, but ideally it should use the System.Management object class. While the basic principles are the same, the actual code is different. For Visual Basic 6, specify data types and object types and add Microsoft WMI Scripting V1.2 Library to the project references. If you are unsure what object type the Provider is returning, use the generic Dim var as object and rely on Visual Basic to perform late binding on the object. If enumerating a class that has subclasses, take care if you assign the properties into an array, because more properties may be returned than necessary. When evaluating a class, the names of the subclasses are returned, but not their properties. Note Citrix_User, Citrix_UsersInGroup, and Citrix_Group can take a while to evaluate, especially in large, distributed domains with several trust relationships.
Events in Visual Basic 6

The code is similar to that above, but an event sink must be on a form. First ensure Microsoft WMI Scripting V1.2 Library is added in the references of the project. You need to add:
Option explicit Dim withEvents sink as SwbemSink
in the General Declarations section of a form in the application, and put the code for the event subscription and sink as procedures on the form:
Public Function MFEvents() As ErrObject On Error GoTo ErrorHandler Dim Services As swbemservices Dim strComputerName as string StrComputerName =server01 Dim NameSpaceLocator As SWbemLocator Set NameSpaceLocator = CreateObject("WbemScripting.SWbemLocator") Set Services = NameSpaceLocator.ConnectServer(strComputerName, "root\Citrix") Dim strQuery As String Dim cntxt As SWbemNamedValueSet

Set sink = New SWbemSink
125
strQuery = "SELECT * FROM MetaFrameEvent" Set cntxt = New SWbemNamedValueSet cntxt.Add "sinkname", "ExecNoteAsync" Services.Security_.Privileges.Add (wbemPrivilegeSecurity) Services.ExecNotificationQueryAsync sink, strQuery, , , , cntxt ErrorHandler: If Err <> 0 Then Set MFEvents = Err Err.Clear End If End Function Private Sub sink_OnObjectReady(ByVal objWbemObject as WbemScripting.ISWbemObject,ByVal objWbemAsyncContext as WbemScripting.ISWbemNamedValueSet) ' Process the events here Dim cntxt_item As WbemScripting.SWbemNamedValue Dim PropertySet As SWbemPropertySet Dim propertyInstance As SWbemProperty Dim QualifierSet As SWbemQualifierSet Dim EventType As String If objWbemObject.Properties_.Count <> 0 Then Set PropertySet = objWbemObject.Properties_ EventType = Time$ & Chr$(9) For Each propertyInstance In PropertySet If propertyInstance.Name = "EventType" Then Set QualifierSet = propertyInstance.Qualifiers_ EventType = EventType & "Type:" & Chr$(9) Select Case objWbemObject.Properties_ ("EventType").Origin Case "MetaFrameEvent" EventType = EventType & QualifierSet.Item("values").Value(propertyInstance.Value) End Select EventType = EventType & Chr$(9) Else eventType = eventType & propertyInstance.Name & " : " & propertyInstance.Value & Chr$(9) End If Next End If MsgBox EventType End sub
126
Unsigned Long Integers

In Visual Basic 6, long integer types are SIGNED, but the WMI Provider has some properties that are UINT32 (unsigned) and are not, therefore, understood by Visual Basic. In the following section of code, CIMType 19 is a UINT32. To test to see if the value is negative, convert the value to a double and add the appropriate amount to correct the signing problem.
If Not (IsNull(propertyInstance.Value)) Then If propertyInstance.CIMType = 19 And CDbl(Val(propertyInstance.Value)) < 0 Then sPropertyValue = Trim$(Str$(CDbl(propertyInstance.Value) + CDbl(2 ^ 32))) Else sPropertyValue = propertyInstance.Value End If Else sPropertyValue = "(null)" End If
Dates and Times

These are returned in UTC (Universal Time Code) format, so even if servers are located in different time zones, connect/disconnect times are the same on each server. You must manually take into account any time zone differences between servers and clients.
127
OLE Server Busy Dialog

If the OLE server busy dialog box with the Switch To, Retry, and Cancel buttons appears (shown below) or the OLE server Busy versionappears, the application is requesting data from the MetaFrame server and hasnt received a response. Wait until the code completes or terminate the Visual Basic application.
You can change the title and message of the dialog box using the following code:
StrOleBusyTitle=Waiting On Remote Server StrOleBusyText=No response from Remote server yet. App.OleServerBusyMsgTitle=strOleBusyTitle App.OlseRequestPendingMsgTitle= strOleBusyTitle App.OleServerBusyMsgText=strOleBusyText App.OleRequestPendingMsgText=strOleBusyText
In Visual Basic.NET there is an option to set a time-out for how long the application will wait for a response.
NULL Data
If you are coding in Visual Basic 6, extra steps must be taken to check that data returned from the Provider is not null (as opposed to being 0 or ) before attempting to perform operations on the data. The following is an example of bad code:
if licenseObject.Properties_("GraceDays").Value <5 then ' ... take some action to warn license is going to expire end if
This raises an error for activated licenses, which returns null for grace days. Either set an error handler before this, or perform the following:
If not ( IsNull ( licenseObject.Properties_("GraceDays") .Value)) then ' Now safe to test the value if licencseObject.Properties_("GraceDays").Value <5 then ' ... take some action to warn license is going to expire End if End if
128
Visual Basic.NET
Visual Basic.NET has the System.Management class for WMI. The objects are declared differently from Visual Basic 6. The following code segment lists all the servers in a farm:
Imports system.management Dim strServerName as string StrServerName="server01" Dim CitrixServerClass As New ManagementClass("Citrix_ Server") CitrixServerClass.Scope = New ManagementScope("\\" & strServerName & " Dim Citrix_Servers As ManagementObjectCollection = CitrixServerClass.GetInstances() Dim Citrix_Server As ManagementObject For Each Citrix_Server In Citrix_Servers Console.WriteLine("Server = " & Citrix_Server("ServerName").ToString()) Next
CHAPTER 6
Deploying, Publishing, and Configuring Applications
This chapter includes information about deploying, publishing, and configuring the applications in your server farm. Important All new applications should be tested prior to deployment. Even commonly deployed applications can impact MetaFrame Presentation Server.
Publishing in Domains with Thousands of Objects

MetaFrame Presentation Server was tested in domains with over 10,000 objects in a single directory services container. Using MetaFrame Presentation Server in a directory services or domain environment that contains a large number of objects, such as Novell Directory Service or Microsoft Active Directory, presents factors you should take into consideration when designing your farm. If you use a directory services environment with a large number of objects, the following recommendations can help you when publishing applications: Use groups to categorize and assign permissions to large numbers of users. An application published to one group of 1,000 users requires the validation of only one object for all 1,000 users. That same application published to 1,000 individual user accounts requires the validation of 1,000 objects. Do not assign more than 1,000 users or group objects to a published application. This decreases the application publishing time, because all user and group accounts must be verified. Although the console may appear to time-out after five minutes, the server continues to publish the application in the background.
Use the Add List of Names button instead of scrolling to locate a user when the users container holds thousands of objects. In environments with hundreds or thousands of published applications, adding a new server to the farm can be difficult. To add multiple applications to a server, launch the Presentation Server Console and select the existing published applications you want to publish to the new server. Dragging the selected applications to the server in the left-hand side of the console adds all of the selected applications to the server. Ensure that the new server has access to the user accounts for which the applications are published. If the machine does not have permissions for the existing user accounts, the accounts are reset and replaced with the built-in user accounts.
Content Redirection
This section includes information about using the content redirection feature. With content redirection, you determine which applicationsremote or local users launch and in which situations. For information about how to configure and use content redirection, see the MetaFrame Presentation Server Administrators Guide. The following points are known issues for server to client content redirection. Content redirection from server to client is unidirectional. This means that if, for example, a user clicks a URL in a mail program running in a remote session, the link is launched in a browser installed on the MetaFrame Presentation Server Client device. However, if the user attempts to use the mail to function inside the locally running browser, that mail link is not redirected back to the remote mail application. The default mail program on the client device opens. For server to client content redirection to function, the server must access the SHELL/open/command values for application types. Microsoft Word for Windows (Winword.exe) does not redirect HTTP or HTTPS type hyperlinks to the Web browser on the client device. For example, if a user clicks a hyperlink encountered in a Word document running in the remote Word application, the Web browser on the MetaFrame Presentation Server opens, not the locally installed Web browser. The Microsoft Office suite does not directly access the Shell values and redirects these types of links directly to the application itself. MMS and PNM URL links do work from within Word. Neither the Notepad text editor (Notepad.exe) nor the Write text editor (Write.exe) support URL hyperlinks.
(on master page) Header Chapter 6 Deploying, Publishing, and Configuring Applications
131
The Textpad text editor (Version 4.5.0, 32-bit edition from Helios Software Solutions) redirects both the HTTP and HTTPS types of URL hyperlinks. This application does not redirect multimedia URL links, however.
Note Content redirection from client to server is available only with MetaFrame Presentation Server Advanced and Enterprise editions.
Enhanced Content Publishing and Redirection with the Web Interface

This section provides information about using the enhanced content publishing and redirection features with the Web Interface. Published content can be associated with a published application in a server farm. Previously, users could open published content only with locally installed applications. When published content is accessed, content redirection now allows users to automatically launch a connection to a server and open that content. For applications to work with enhanced content publishing and redirection, they must be capable of accepting command line arguments. For example, Notepad accepts UNC addresses but not URLs. To associate an application with content, the application must be published on the server. When you publish an application, include the percent and asterisk symbols (%*) at the end of the command line; for example: C:\Program Files\Office\WINWORD.EXE %*.
Using Web Server Scripts

Web server scripts can be used to manipulate the Web Interface Java objects. This section provides information about the Java objects associated with the Content Publishing feature and also provides sample scripts to act as a guide for using the Web Interface objects. Content publishing uses the findAppByExtension() method on the AppDataList object. This method accepts the address of the content and searches the list of applications it contains for one that supports the associated type of content (based upon the documents extension). For example, if a Microsoft Word document is published as the URL: http://mywebsite/spec.doc, the following is used: findAppByExtension (http://mywebsite/spec.doc).
132
If a published application is available that supports the document content, a Web Interface App object is returned that describes the published application. The application can then be launched using the Web Interface, passing the address of the published content as a command-line parameter. Clients Version 6.30 or later (except the MetaFrame Presentation Server Client for Java) support the specification of command-line arguments through ICA files using the LongCommandLine setting. Sample scripts are shown below for both ASP (Active Server Pages for IIS Web servers) and JSP (JavaServer Pages for Java Web servers). These scripts assume that the address of the published content is supplied as a URL or UNC path. The main steps in the scripts are: 1. Obtain the list of published applications available to the user. 2. Locate the published application associated with the contents extension. 3. Launch the published application by generating an appropriate ICA file.
ASP Example
1. Obtain the list of applications.
Set credentials = Server.CreateObject ("com.citrix.nfuse.ClearTextCredentials") credentials.initialize "user", "domain", "password" Set gateway = Server.CreateObject ("com.citrix.nfuse.CitrixWireGateway") gateway.initialize credentials Set appList = gateway.getAppDataList()
2. Locate the published application using file type association.

Set contentApp = appList.findAppByExtension("http://mywebsite/ spec.doc")
3. Launch the application with the content.

Create a TemplateParser object (to generate the ICA file) Set parser = Server.CreateObject ("com.citrix.nfuse.TemplateParser") ' Set up the launching credentials CookStr = "NFuse_User=user&NFuse_Domain =domain&NFuse_LogonMode=Explicit& NFuse_Password=password" ' Set these as cookie session fields parser.setCookieSessionFields(CookStr) ' Set the published app to use for launching the content urlSessionFields = "NFuse_Application=" & contentApp.getNameUrlEncoded &
Chapter 6 Deploying, Publishing, and Configuring Applications
133
' '
'
' ' '
'
"&NFuse_AppFriendlyNameURLEncoded=" & contentApp.getFriendlyNameUrlEncoded Set these as URL session fields parser.setUrlSessionFields(UrlSessionFields) Set address of the content used as a command line argument parser.setSingleSessionField "NFuse_AppCommandLine", "http://mywebsite/spec.doc" Specify the template ICA file to use parser.setSingleSessionField "NFuse_Template", "template.ica" Generate content of ICA file and return MIME type "x-ica" This causes browser to launch the ICA file and hence the published application. If parser.Parse() Then Response.ContentType = "application/x-ica" Continue = True While (Continue) HtmlString = parser.getNextDataBlock() If Len(HtmlString) = 0 Then Continue = False Else Response.write(HtmlString) End If Wend Else Parser failed. Attempt to display the published content using local (client side) application. Response.Redirect(docURL) End If
134
JSP Example
1. Obtain the list of applications.
ClearTextCredentials credentials = new ClearTextCredentials(); credentials.initialize("user", "domain", "password"); CitrixWireGateway gateway = new CitrixWireGateway(); gateway.initialize(credentials); AppDataList appList = gateway.getAppDataList();
2. Locate the published application using file type association.

App contentApp = appList.findAppByExtension ("http://mywebsite/spec.doc");
3. Launch the application with the content.

// Create a TemplateParser object (to generate ICA file) TemplateParser parser = new TemplateParser(); // Set up the launching credentials String CookStr = "NFuse_User=user&NFuse_Domain=domain &NFuse_LogonMode=Explicit&NFuse_Password=password"; // Set these as cookie session fields parser.setCookieSessionFields(CookStr); // Set the published app to use for launching the content urlSessionFields = "NFuse_Application=" + contentApp.getNameUrlEncoded + "&NFuse_AppFriendlyNameURLEncoded=" + contentApp.getFriendlyNameUrlEncoded; // Set these as URL session fields parser.setUrlSessionFields(UrlSessionFields); // Set address of content to use as a command line argument parser.setSingleSessionField("NFuse_AppCommandLine", "http://mywebsite/spec.doc"); // Specify the template ICA file to use parser.setSingleSessionField("NFuse_Template", "template.ica"); // Generate content of ICA file and return MIME type"x-ica" // This causes browser to launch the ICA file and hence the // published application. if (parser.Parse()) { String contentType = parser.getContentType(); response.setContentType(contentType); boolean continue = True; while (continue) { String HtmlString = parser.getNextDataBlock(); If (HtmlString.length() == 0) { continue = False; } else { out.println(HtmlString);

} } } else { // Parser failed. Attempt to display the published content using local (client side) application. response.sendRedirect(docURL); }
135
Sample Template.ica File

[Encoding] InputEncoding=ISO8859_1 [WFClient] Version=2 ClientName=[NFuse_ClientName] RemoveICAFile=yes [ApplicationServers] [NFuse_AppName]= [[NFuse_AppName]] Address=[NFuse_AppServerAddress] InitialProgram=#[NFuse_AppName] LongCommandLine="[NFuse_AppCommandLine]" DesiredColor=[NFuse_WindowColors] TransportDriver=TCP/IP WinStationDriver=ICA 3.0 [NFuse_ClientLogon] [NFuse_SOCKSSettings] AutologonAllowed=ON [NFuse_Ticket] [NFuse_IcaAudio] [NFuse_IcaWindow] [NFuse_IcaEncryption] SessionsharingKey=[NFuse_SessionSharingKey]
136
Configuring SpeedScreen Browser Acceleration for Published Applications

SpeedScreen Browser Acceleration and Internet Explorer
There are two settings in Internet Explorer that are relevant to SpeedScreen Browser Acceleration operation. These are the Automatic Image Resizing, available in Internet Explorer 6.0 or later, and Play Animations in Web pages.
Automatic Image Resizing

Automatic Image Resizing causes images that are larger than the browser window to be resized so that the complete image is visible within the browser window. While the initial image prior to the resize may be rendered correctly through SpeedScreen Browser Acceleration, the resized image will not. For optimal performance, Citrix recommends disabling Automatic Image Resizing.
Play Animations in Web Page

When this feature is enabled, animated GIF images are rendered as animations and SpeedBrowse support for GIF images is disabled. Citrix recommends that you disable Play Animations in Web pages. When this feature is disabled, SpeedScreen Browser Acceleration support for GIF images is enabled. Disabling the Play Animations in Web pages provides a further bandwidth reduction due to the absence of animations that consume significant bandwidth. MetaFrame Presentation Server disables both Automatic Resizing and the Play Animations for all users on the server. The features are disabled when the user logs on for the first time following the installation of MetaFrame Presentation Server. If a user subsequently enables either of these settings, they will not be modified again. These features can be accessed by opening Internet Explorer and selecting Tools > Internet Options, or by selecting Start > Settings > Control Panel > Internet Options.
137
Advanced Configuration Information

This section contains information about automatically disabling the Internet Explorer features previously described. MetaFrame Presentation Server disables the Automatic Image Resizing and the Play Animations features the first time a user logs on to MetaFrame Presentation Server. These features are disabled only after the first time users log on. Disabling of these features is controlled through two registry entries, one for each feature. The registry values are contained in the registry key HKEY_CURRENT_USER\Software\Citrix. The registry values are defined in the table below.
Value Name DisablePlayAnimations Value 0 1 (default if not present) 0 1 (default if not present) Description Retain users setting. Disable Play Animations in Web pages in Internet Explorer. Retain users setting. Disable Automatic Image Resizing in Internet Explorer.
DisableAutoImageResize
If during logon, either of the registry settings is set to 1 or is not present, the corresponding feature is disabled and the registry settings are set to 0. If either registry setting is set to 0, the users settings for these two options are retained; they are not automatically modified. You may find this information useful when designing logoff scripts. For example, you can ensure both features are disabled when the user next logs on to MetaFrame by ensuring the logoff script sets these values to 1.
138
Configuring SpeedScreen Browser Acceleration on the Client

SpeedScreen Browser Acceleration settings must be configured in ICA files. The preferred configuration method is to use the Web Interface. By default, SpeedScreen Browser Acceleration is enabled on the client for all connections. Note that if either the server or the client has SpeedScreen Browser Acceleration configured to OFF, it is disabled for that connection. This section describes the ICA file parameters that can be used to configure SpeedScreen Browser Acceleration.
Basic SpeedScreen Browser Acceleration ICA File Settings

SpeedScreenBA
Usage
SpeedScreenBA=[ON | OFF]
Description
Setting SpeedScreenBA=On enables SpeedScreen Browser Acceleration for a connection. Note that the server settings may override this setting. Disabling SpeedScreen Browser Acceleration on the server causes this setting to be ignored for a connection. Setting SpeedScreenBA=Off disables SpeedScreen Browser Acceleration for a connection. This is disabled even if the server setting specifies that SpeedScreen Browser Acceleration is to be enabled.
SpeedScreenBACompressionEnabled
Usage
SpeedScreenBACompressionEnabled=[ON | OFF]
Description
Setting SpeedScreenBACompressionEnabled=On enables SpeedScreen Browser Acceleration JPEG image compression for a connection. Note that the server settings may override this setting. If the server has disabled JPEG Image compression, the server setting overrides the client setting. Setting SpeedScreenBACompressionEnabled=Off disables SpeedScreen Browser Acceleration JPEG compression for a connection. This is disabled even if the server setting specifies that JPEG compression is to be enabled.
139
Advanced SpeedScreen Browser Acceleration ICA File Settings

SpeedScreenBACompressedCacheSize
Usage
SpeedScreenBACompressedCacheSize=value
Description
SpeedScreen Browser Acceleration uses a compressed cache to store JPEG and GIF data sent from a computer running MetaFrame Presentation Server. By caching this data on the client, pages that are revisited display faster, because the server will not retransmit the cached images to the client. The size of the cache determines how long images are stored in the cache and the number of files that can be stored in the cache. When the cache is full, images previously added to the cache are deleted from the cache (the least recently accessed images are deleted first). Initially the cache is empty and does not consume memory. As images are added to the cache, the cache grows to accommodate the images. If an image exceeds the maximum compressed cache size, it is not displayed through SpeedScreen Browser Acceleration. The value parameter is the maximum memory consumption that SpeedScreen Browser Acceleration will use to store JPEG and GIF image data, measured in kilobytes. The default value for this parameter is 16384KB (16MB). Administrators can modify this setting to limit the maximum memory consumption of the client or, alternatively, to allow higher maximum memory consumption if required. Increasing the memory consumption may provide some benefit on very slow connections where the transmission time for images is very high.
SpeedScreenBADecompressedCacheSize
Usage
SpeedScreenBADecompressedCacheSize=value
Description
SpeedScreen Browser Acceleration stores the bitmap representations of JPEG and GIF images in a decompressed cache. Using a decompressed cache means that the JPEG and GIF images do not need to be decompressed each time they are drawn. Using a decompressed cache provides a significant performance boost when a page is scrolled because a scroll operation results in a number of drawing operations on the same image.
140
When an image needs to be drawn, it is decompressed and added to the decompressed cache. Images remain in the decompressed cache until more space is required in the cache. Images are deleted from the decompressed cache when adding a new image could exceed the maximum decompressed cache size. Images can be added and removed from the decompressed cache any number of times while the image is in the compressed cache. The maximum size of the decompressed cache size determines the maximum dimensions of an image that can be displayed through SpeedScreen Browser Acceleration. JPEG images require 24bpp (bits per pixel), while GIF images require 8bpp. A larger decompressed cache size allows images with a larger dimension to be displayed. Reducing the size of the decompressed cache reduces the maximum image dimensions that can be displayed. Images that will exceed the maximum decompressed cache size when decompressed are not downloaded to the client at all but are displayed in Legacy mode.
SpeedScreenBAMaximumCompressionLevel
Usage
SpeedScreenBAMaximumCompressionLevel=value
Description
The SpeedScreenBAMaximumCompressionLevel ICA file parameter defines the maximum SpeedScreen compression level for a connection. The default value for this parameter is 2 (high compression). The valid values for this parameter are:
0 1 2 Low Compression Medium Compression High Compression
SpeedScreen JPEG Image Recompression performs a lossy compression on the JPEG images transferred to the client. A higher compression level results in reduced bandwidth consumption, but has significant impact on image quality. The lower of the two compression levels specified on the client and the server is used as the maximum compression level for a connection. Thus if the client specifies medium compression and the server high, the maximum compression level used for the connection will be medium compression. This parameter is ignored if either the client or server indicates that compression is not enabled for a connection.
141
SpeedScreen Browser Acceleration Limitations and Known Issues

No Support for Transparent GIF Images
SpeedScreen Browser Acceleration does not support transparent GIF images. Transparent GIF images are rendered in Legacy mode. The first figure shows a transparent GIF on a white background, the second on a blue background, as it appears on a Web page.
Transparent GIF on a white background
Transparent GIF on a blue background
Images Resized in HTML

The HTML that describes a Web page can also specify the width and the height that an image can use. This can be different from the actual width and height of the image. In this case, Internet Explorer enlarges or reduces the image as required to fit it into the size specified in the HTML. SpeedScreen Browser Acceleration does not support images that are resized using this technique. Images that are resized in HTML are drawn in Legacy mode. This feature is not the same as the Automatic Image Resizing feature described previously. Automatic Image Resizing refers to the scaling of an image that is larger than the browser display area so that it fits into the display area of the browser.
142
Media Formats and Network Types Supported by SpeedScreen Multimedia Acceleration

Supported Media Formats
SpeedScreen Multimedia Acceleration supports a range of multimedia playback formats. The table below lists a few of the media types that were tested successfully using Windows Media Player 6.4/8.0/9.0 and RealOne Player. In general, SpeedScreen Multimedia Acceleration supports all media types that can be decoded by a DirectShow based codec, regardless of file format. SpeedScreen Multimedia Acceleration is supported when connecting to computers running Windows Server 2000 and Windows Server 2003, from Windows 9x, Windows Server 2000, and Windows XP clients. Note Media type differs from file format. File formats can encapsulate various media types, such as those listed below. For example, a single AVI file could contain a DIVX Video stream and an AC3 digital audio stream, and would need both the DIVX and AC3 DirectShow codecs for proper playback.
Media Type (Media Encoding Format)
File Format (File Extension)
Media Player 6.4/ 8.0/9.0
RealOne Player
QuickTime
DirectShow -based Media Players
DIVX Video XVID Video Microsoft Video 1 MPEG-1 Video MPEG-4 Video Indeo Interactive Video MPEG-1 Audio AC3 Audio Fraunhofer MPEG Layer-3 Codec MP3
AVI MPEG MPG ASF
Y Y Y Y Y Y Y Y Y
Y Y Y Y Y Y Y Y Y X
X X X X X X X X X X
Y Y Y Y Y Y Y Y Y X
MP3
Y*
143
Media Type (Media Encoding Format)
File Format (File Extension)
Media Player 6.4/ 8.0/9.0
RealOne Player
QuickTime
DirectShow -based Media Players
WMA WMV Real Media Quick Time
WMA WMV RM MOV
Y* X X X
X X X X
X X X X
X X X X
Y- Supported through SpeedScreen Multimedia Acceleration X Not supported through SpeedScreen Multimedia Acceleration * - Support through SpeedScreen Multimedia Acceleration only when playing through Windows Media Player 9.0. Data is transferred in uncompressed format. Note The table above describes only some of the more popular media types and file formats. As stated above, in general SpeedScreen Multimedia Acceleration supports all media types that can be decoded by a DirectShow based codec, regardless of file format. Citrix recommends that you always upgrade the client devices to use the latest version of Microsofts DirectX software and to keep the servers version of Microsoft Windows Media Player upgraded to the latest version/update. Note that playback can take advantage of the new SpeedScreen Multimedia Acceleration when playing MP3 or other such audio. In this case, the computer running MetaFrame Presentation Server doesnt actually play the data and send data to clients, but instead streams the compressed codec data to the client and allows the client to decompress and play the data.
144
Supported Network Types

When multimedia streams are rendered through SpeedScreen Multimedia Acceleration because native (compressed) streams are being sent, bandwidth usage is lower. The following network types are supported: LAN - Supported. WAN (DSL) - Conditional support. Audio streams are supported. Video streams are supported based on the media type, actual content, network conditions, client and server buffer configurations. Low resolution videos; for example, 320x240 work under most circumstances. For higher resolution videos frames are dropped as part of quality control resulting in degraded video quality. Satellite - Not supported. Modem - Not supported.
SpeedScreen MultiMedia Acceleration Configuration Options

The following options can be used in the clients Appsrv.ini file for configuring the SpeedScreen Multimedia Acceleration feature. SpeedScreenMMAVideoEnabled Default Value: TRUE Description: Enable/Disable video playback through RAVE SpeedScreenMMAAudioEnabled Default Value: TRUE Description: Enable/Disable audio playback through RAVE SpeedScreenMMASecondsToBuffer Default Value: 10 Description: Seconds of buffer in the client. Values range from 1-10. This value is set on both the server and client and the connection is set up with the smaller of these values. SpeedScreenMMAMaximumBufferSize Default Value: 30240 Description: Maximum size in kilobytes of the media queue that the client can create. This is per stream, so the client could create a 30240KB queue for Audio and 30240 Queue for Video.
145
SpeedScreenMMAMinBufferThreshHold Default Value: 10 Description: Percent value with a range of 5-15. When the data in the media queue reaches this value, the client requests a burst from the server to replenish its media queue.
SpeedScreenMMAMaxBufferThreshHold Default Value: 90 Description: Percent value with a range of 85-95. When the data in the media queue reaches this value, the client requests that the server stop sending data until the data in the queue levels off.
SpeedScreenMMAPlaybackPercent Default Value: 35 Description: Percent value with a range of 25-45. This is the percentage of the media queue that needs to be filled before playback on the client begins.
146
Adding and Removing Users from Published Applications Using VBScript and MetaFrameCOM
MetaFrameCOM (MFCOM ) is a COM server that exposes some of the MetaFrame Presentation Server control and monitoring functions through the objects and interfaces it defines. MFCOM is also a programming interface to the functions provided by the Presentation Server Console. MFCOM is a COM object that meets the requirements defined in the Microsoft Component Object Model Specification. MFCOM is a COM server, not a COM client. MFCOM exposes objects that can be accessed from a COM client. It is a free threading COM server and supports automation. It is also a DCOM server; that is, a COM client can remotely connect to a server.
Using MFCOM
In most cases, MFCOM can be used on servers with no additional configuration. MFCOM is installed and registered by the installation of MetaFrame Presentation Server. The C:\program files\citrix\system32\mfreg.exe program can be used to register or un-register MFCOM manually on the server. To use MFCOM remotely, a utility program, c:\program files\citrix\mpssdk\utils\mfreg.exe, must be used to register MFCOM as a remote server. To obtain the Mfreg.exe program, download the MetaFrame Presentation Server SDK (MPSSDK ) from the downloads section on http:// www.citrix.com. Installing the MPSSDK package provides a prompt to register MetaFrame Presentation Server. To register or un-register the DCOM client manually, use the c:\Program files\citrix\mpssdk\utils\mfreg.exe program. Additionally, you may have to use the Microsoft tool DCOMCNFG.EXE to change the default impersonation to impersonate. You must restart your computer after you make this change. For additional information, visit the Citrix Developer Network at http://apps.citrix.com/cdn/.
MFCOM VBScripting
Although MFCOM can be used with any COM-compliant programming language such as Visual Basic 6.0, Visual C++, Perl, VB.Net, C#.Net, and C++.net it is very convenient to use VBScript. VBScript is included in most versions of Microsoft Windows. VBScript is a useful programming tool if you want to take advantage of scripting to overcome the difficult tasks of server maintenance. The following example can be used to add or remove an Active Directory domain user or group to or from a published application and demonstrates how a VBScript can be created. The script can be modified to perform other tasks applicable to your published applications.
147
If your farms have a large number of published applications, scripts can be used to batch the process of adding or removing accounts from published applications, which can save you a substantial amount of time. To run the following script, type the following at a command prompt: d:>cscript addacct.wsf where d is the drive where the script is located.
<package> <job id="AddAcct"> <comment> File: addacct.wsf Description: Example of how to add a ADS user or group to a published application. Requirements: WSH 5.5 or higher. Copyright (c) 2004 Citrix Systems, Inc. </comment> <runtime> <description> Add a user or group to an application. </description> <example> CScript //nologo USAGE: Addacct.wsf DOMAIN NAME, USER|GROUP NAME Example: Addacct.wsf MYADS Domain Users Use Double Quotes for names such as Domain Users Example: Addacct.wsf MYADS JONDOE </example> </runtime> <reference object="MetaFrameCOM.MetaFrameFarm"/> <script language="VBScript"> Option Explicit Dim AAName, AcctName, theFarm, anApp, MFUser, aWinApp if
WScript.Arguments.Count <> 2 Then WScript.Echo "USAGE: Addacct.wsf DOMAIN NAME, USER|GROUP NAME" WScript.Echo "" WScript.Echo "Example: Addacct.wsf MYADS Domain Users" WScript.Echo " Use Double Quotes for names such as Domain Users" WScript.Echo "Example: Addacct.wsf MYADS JONDOE" WScript.Quit 0
148

Else AAName = WScript.Arguments(0) AcctName = WScript.Arguments(1) wscript.echo AAName, ACCTNAME End If ' ' ' Set theFarm = CreateObject("MetaFrameCOM.MetaFrame Farm") if Err.Number <> 0 Then WScript.Echo "Can't create MetaFrameFarm object" WScript.Echo "(" & Err.Number & ") " & Err.Description WScript.Echo "" WScript.Quit Err.Number End if ' ' Initialize the farm object. ' theFarm.Initialize(MetaFrameWinFarmObject) if Err.Number <> 0 Then WScript.Echo "Can't Initialize MetaFrameFarm object" WScript.Echo "(" & Err.Number & ") " & Err.Description WScript.Echo "quiting " WScript.Quit Err.Number End if ' ' ' Are you Citrix Administrator? ' ' if theFarm.WinFarmObject.IsCitrixAdministrator = 0 then WScript.Echo "You must be a Citrix admin to run this script" WScript.Echo "" WScript.Quit 0 End If ' ' Display all applications in the farm. ' ' For Each anApp In theFarm.Applications if Err.Number <> 0 Then WScript.Echo "Can't enumerate applications" WScript.Echo "(" & Err.Number & ") " & Err.Description WScript.Echo ""

WScript.Quit Err.Number End if ' ' ' Create the user object Set MFUser = CreateObject("MetaFrame COM.MetaFrameUser") MFUser.initialize MFAccountAuthorityADS, AAName, MFAc countDomainUser, AcctName ' ' ' Add the user or group to all published applications
149
anApp.LoadData(TRUE) if anApp.AppType = MetaFrameWinAppObject Then ' MetaFrameWinApp object. Set aWinApp = anApp.WinAppObject anApp.Adduser MFAccountAuthorityADS, AAName, MFAccountDomainUser, AcctName anApp.SaveData end if Next </script> </job> </package>
Modifying the above script can produce an entirely different result. For example, replacing the line:
anApp.Adduser MFAccountAuthorityADS, AAName, MFAccountDomainUser, AcctName
with
anApp.removeuser MFAccountAuthorityADS, AAName, MFAccountDomainUser, AcctName
removes an Active Directory user or group from all the published applications. In this script the MFAccountAuthorityADS and MFAccountDomainUser enumerations are coded into the calls to add and remove Active Directory users and groups. If you are adding or removing users and groups from other account authorities such as NDS, Windows NT, or the local machine, you have to change these parameters (enumerations). For additional information, visit the Citrix Developer Network at http://apps.citrix.com/cdn/.
150
Using Installation Manager to Deploy Windows Installer Packages

Consider the following issues before you use Installation Manager to deploy Windows Installer packages (files with the .msi extension). If you are applying more than one Windows Installer transform file (files with the .mst extension) to the same Windows Installer package, each transform will install different components but apply them to the same Windows Installer package. For example, if you use transforms with an installation file for Microsoft Office, any components you select in the transforms are not installed even though the installation job appears to complete successfully. Recording Microsoft patch packages (files with the .msp extension) is not necessary. You can browse through Installation Manager and add the *.msp file. You can uninstall a Microsoft patch package from the target server; however, you cannot uninstall the patch from the server to which it was deployed. If you need to apply another patch to the application installed on the target server, first uninstall the application on the target server and then deploy the application and the patch again.
Important When multiple Windows Installer packages are installed, a memory leak can occur in Msiexec.exe. To avoid this, install the latest Windows service pack.
Force Reinstall Option

When a package is scheduled to be deployed to a target server, Installation Manager detects if the package is already installed. If an application from the package is detected, Installation Manager does not deploy the application and instead reports a status of Already Installed. If you need to overwrite an existing installation, set the Force Reinstall option on the Properties screen of the already installed package. This new installation can be used to fix any previously damaged installations or to overwrite the existing application of the same version with any changes you applied. Note After the Force Reinstall option overwrites a package, the package you used to install the original application cannot be used to uninstall the application from the target server. You can uninstall only the newly installed package. After you use the Force Reinstall option on the same package, the Installed Packages tab for the target server reports two records for the same package.
151
Installation Manager Compatability

The version of Installation Manager that ships with MetaFrame Presentation Server 3.0 also supports packages made using earlier versions of Installation Manager. However, some applications may cause issues with this backwards compatibility. Because of this, Citrix recommends that you recreate the packages using the latest version of Installation Manager. Packages created with earlier versions may have been packaged on servers that did not have the operating system and other updates your server farm contains. When recording a package, the source server should have a configuration similar to that of the target servers.
Using the Application Publishing Wizard

The Application Publishing wizard in the Installation Manager node of the Presentation Server Console deploys Installation Manager packages in the server farm. The wizard allows you to automatically install, publish, and load balance the applications. Additionally, the command line utility apputil can be used to add and remove servers from these published packages through scripting, further automating the application installation process. Applications published without the wizard are not automatically published or load balanced. For more information about apputil, see the MetaFrame Presentation Server Administrators Guide. Note Packages created by earlier versions of Installation Manager may not support this feature.
Uninstalling a Package
By default, a deployed package can be uninstalled using only the original package. For example, you cannot directly uninstall an ADF package that has a status of Already Installed. Instead, perform another full installation using the Force Reinstall option. This new package can be used to uninstall the same package. The application can also be uninstalled from target servers without Installation Manager by using Add/Remove Programs in Control Panel. Note If you uninstall from the Already Installed package, the target server will not detect the uninstallation and still reports that the package is installed.
CHAPTER 7
Optimizing MetaFrame Presentation Server Performance
This chapter suggests optimizations that can increase the performance of MetaFrame Presentation Server running in a Windows environment. Many of the recommendations are based on Microsoft Knowledge Base articles accessible from the Microsoft Web site at http://support.microsoft.com.
Network Optimization
This section covers a few common network performance issues you can remedy by adjusting the default Windows network configuration.
Refused Connections
The server can refuse connections because of self-imposed limits specified by the MaxMpxCt and MaxWorkItem registry values. If this happens, users see the following errors: System could not log you on because domain <domainname> is not available. You do not have access to logon to this session. Before changing these values, read Microsoft Knowledge Base article Q232476. When modifying the following registry settings, ensure that the MaxWorkItems value is always four times the MaxMpxCt value. Suggested new values for MaxMpxCt and MaxWorkItems are 1024 and 4096 respectively. Caution A number of steps in this chapter require you to edit the registry. Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\LanmanServer\Parameters Name: MaxMpxCt Type: REG_DWORD Data: 1024 Name: MaxWorkItems Type: REG_DWORD Data: 4096
Network Request Buffer

If working in a mixed Windows Server 2000 and Terminal Server Edition environment, you can improve performance by modifying the network request buffer size on the TSE servers. Increasing this value to 65,536 bytes from the default of 4,356 bytes significantly improves LAN Manager file writes. For more information, see Microsoft Knowledge Base article Q279282. To modify the network request buffer size, set the following registry values: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \LanmanServer\Parameters Name: SizReqBuf Type: REG_DWORD Data: 512 bytes to 65536 bytes
Network Cards
Most 10/100-based network cards auto-sense the network speed by default. Manually setting these cards prevents the auto-sensing process from interfering with communication and enforces the desired network speed. If the server is connected to an auto-sensing device, apply these settings to this device as well. Verify that only necessary protocols are installed, and that the binding order of those protocols to the network interface card lists the most commonly used protocol first.
(on master page) Header Chapter 7 Optimizing MetaFrame Presentation Server Performance
155
TCP/IP and ICA KeepAlives

In networks that are subject to periodic intervals of high network latency, MetaFrame Presentation Server Clients may time out when connected to a session. When users attempt to reconnect to a dropped session, they receive a new session instead of being reconnected to their previous session because the server is not aware that the previous session was dropped. For ICA sessions that are connected through TCP, you can remedy this problem by enabling TCPKeepAlives. Modification of the TCPKeepAlive parameter helps the host server become aware sooner of any sessions dropped due to network problems. For more information about TCP parameters, see Microsoft Knowledge Base article Q120642. Make the following registry changes to the TCP stack to tune the server: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \Tcpip\Parameters Name: KeepAliveTime Type: REG_DWORD Data: 0000ea60 Name: KeepAliveInterval Type: REG_DWORD Data: 000003e8 Important Aggressive parameters may cause TCP/IP-based communications to time-out prematurely. Adjust these parameters as necessary to prevent this behavior. MetaFrame also has an ICAKeepAlive packet that is not protocol-specific. There are two ways to configure ICAKeepAlives: Edit the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control \Citrix Name: ICAEnableKeepAlive Type: REG_DWORD Data: 1 (0 is default, Off) Name: KeepAliveInterval Type: REG_DWORD Data: <number of seconds> (default is 60 seconds)
156
In the left pane of the Presentation Server Console, select the server you want to configure, then: 1. Right-click and select Properties from the context menu that appears. 2. Select ICA Keep-Alive from the dialog box. 3. Click Enable ICA Keep-Alive and then enter a value (in seconds) in the Time Out Value box.
Important Enabling KeepAlives may keep demand-dial links up in a WAN environment. For more information about Configuring TCP and ICA KeepAlive values, see the Citrix Knowledge base article CTX708444 at http://www.citrix.com.
Windows Network Status Icon

Windows Server 2000 and Windows Server 2003 provide an option to show the network icon in the system tray. When this option is selected, a network icon is displayed in the system tray within the session. The network icon blinks each time network traffic occurs. The network icon blinks for each update. When the network icon in the system tray blinks, it causes the ICA session to update. Because the ICA session is being updated, network traffic occurs that causes the network icon to blink. This causes an infinite feedback loop. To turn off the network status icon 1. Go to Start > Settings > Control Panel > Network and Dial-up Connections > Local Area Connection. 2. Right-click Local Area Connection and select Properties. 3. Uncheck Show Icon in notification area when connected. In Windows Server 2000, the option states, Show Icon in taskbar when connected. 4. Repeat these steps for each network adapter or connection on every server in your farm.
Chapter 7 Optimizing MetaFrame Presentation Server Performance
157
Improving Connectivity over Inconsistent WAN Links

This section includes information about decreasing the number of disconnected TCP/IP sessions when clients connect over the Internet or any other WAN link with inconsistent bandwidth. If the quality of a WAN link dramatically decreases after a user connects to a server, the connection can be dropped. Users experiencing this problem receive the following error message: Error in Connection: the Citrix server is no longer available. By default, the TCP/IP protocol uses the initial packet round-trip time at the moment when the session is initiated to determine what is normal for that connection. Thus it is better to have a consistently slow WAN connection than to have a connection that starts out fast and then becomes slow. Such an erosion of connection speed is common when connecting through an Internet Service Provider (ISP), particularly when the connection is opened in the morning and maintained throughout the day. To accommodate this erosion of bandwidth, add TcpMaxDataRetransmissions to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \Tcpip\Parameters Name: TcpMaxDataRetransmissions Type: REG_DWORD Data: 10 To add the key TcpMaxDataRetransmissions when it does not exist 1. Highlight Parameters. From the Edit menu, choose Add Value. 2. Type TcpMaxDataRetransmissions in the Value Name box. 3. Select REG_ DWORD in the Data Type box. Click OK. 4. Select Decimal from the radix options. 5. Type 10 in the Data box. Click OK.
Retransmission Behavior
TCP starts a retransmission timer when each outbound segment is handed down to IP. If no acknowledgment is received for the data in a given segment before the timer expires, the segment is retransmitted up to the number of times specified in the TcpMaxDataRetransmissions registry key. The default value for this is five.
158
The retransmission timer is initialized to three seconds when a TCP connection is established; however, it is adjusted dynamically to match the characteristics of the connection using Smoothed Round Trip Time (SRTT) calculations.The timer for a given segment is doubled after each retransmission of that segment. Using this algorithm, TCP tunes itself to the normal delay of a connection. Because the default number of retries is five, the round-trip time can double four times (in other words, it can become 16 times slower than its initial value) before the session is dropped. By increasing this number to 10, you allow the round-trip time to double nine times instead of four, which allows the connection quality to erode up to 512 times its original value before being dropped. For example, a connection that begins with a round-trip time of 20 milliseconds has to erode to a round-trip time of 10,240 milliseconds before being dropped by the server. If possible, make this registry change on the client device as well. More information is available in Microsoft TechNet Articles Q120642 and Q17035.
Selecting Non-Standard TCP Packet Sizes

By default, ICA sessions connecting over TCP use maximum sized TCP packets (up to 1460 bytes of data) for the transmission of large amounts of data. However, there are a small number of network types, usually wireless or satellite-based networks, where better performance can be achieved by using smaller packets. You can change the normal maximum size (1460) on a server by setting the following registry entry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServe r\ Wds\icawd\MaxICAPacketLength If required, define the entry as a DWORD parameter (for example, 1000). Restart the server for this registry value to take effect. If the entry is undefined, has a value of zero, or a value greater than 1460, it will have no effect. Other values will cause the server and its clients to use a smaller maximum length for all packets sent after connection time. Caution Setting this registry value to enforce a lower maximum will have a significant negative effect on performance on all normal networks and it should, therefore, be used only in special situations.
159
Server Optimization
This section describes ways in which correctly configuring Windows services and applications for use in a multiuser environment improves performance and prevents system problems.
Auto-End Tasks
If an application does not properly exit, either when closed or upon server shutdown, the operating system can terminate the application using the Auto-End Tasks feature. Auto-End Tasks terminates any task that does not respond to a shutdown notice within the default time-out period. Enabling Auto-End Tasks affects all applications on the server and can cause issues with some applications that require a shutdown time period that is longer than the default time-out period. Therefore, the default time-out period must be greater than the time required for the longest successful shutdown for any server application. To enable Auto-End Tasks and set the default time-out period, modify the following registry settings: HKEY_USERS\.DEFAULT\Control Panel\Desktop Name: AutoEndTasks Type: REG_SZ Data: 1 Name: WaitToKillAppTimeout Type: REG_SZ Data: x where x is the interval in milliseconds (default is 20000) For more information, see Microsoft Knowledge Base articles Q123058 and Q191805.
160
System Hard Error Messages

Messages generated by system hard errors appear in the Presentation Server Console. If left unanswered on an unattended console, messages can cause ICA sessions to hang. You can configure system hard errors to create an entry in the system log instead of displaying a message on the console. Disabling the display of messages to the console decreases the likelihood of hung ICA sessions, but increases the need to monitor the event log for these types of errors. For more information, see Microsoft Knowledge Base articles Q124873 and Q229012. The following registry change disables system hard error messages on the console: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control \Windows Name: ErrorMode Type: REG_DWORD Data: 00000002
Dr. Watson
If you are using Dr. Watson, run the Dr. Watson Application Compatibility script to prevent stability problems. Citrix recommends that you disable the Visual Notification option available on the main screen of Drwtsn32.exe. You can disable Dr. Watson completely by clearing the following registry key value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug Name: Debugger Type: REG_SZ Data: (blank) You can restore Dr. Watson as the default debugger by executing drwtsn32.exe i.
161
Configuring the Event Log

Change the default event log configuration to prevent log files from running out of space, which generates errors. To change event log settings on Windows NT, Terminal Server Edition 1. Launch Event Viewer. 2. Choose Log > Log Settings. 3. Choose System in the Change settings for box. 4. Set the Maximum Log Size to at least 1024KB. 5. Choose Overwrite events as needed. 6. Choose Application in the Change setting for box and repeat Steps 4 and 5. 7. Click OK to save the settings. To change event log settings on Windows Server 2000 and Windows Server 2003 1. Launch Event Viewer. 2. Right-click System Log and choose Properties. 3. Set the Maximum Log Size to at least 1024KB. 4. Choose Overwrite events as needed. 5. Click OK to save the settings. Repeat Steps 35 for the Application Log.
Configuring Print Job Logging

By default, each print job logs two messages to the system log. On servers with many users, this feature generates numerous events and fills up the log faster. If you do not need these messages, you can disable them by changing the following registry setting: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\ Providers Name: EventLog Type: REG_DWORD Data: 0 Removing the EventLog value from the registry and restarting the server re-enables the logging of all print events.
162
Remote Procedure Call (RPC) Services

When opening RPC-aware applications such as Windows Explorer and Control Panel, delays of several minutes can result from incorrect service startup settings. Verify that the RPC service Startup type is set to Automatic and the RPC Locator service Startup type is set to Manual.
Tuning the Load Bias Level

Prior to the release of MetaFrame Presentation Server 3.0, the data collector temporarily increased the load of a server for each connection by 200 until it received a load update from the server. This increase is known as the load bias. In MetaFrame Presentation Server 3.0 this was changed to calculate the load bias level based on the load evaluator settings. For example, if a Server User Load evaluator was configured to report a full load at 40 users, the new bias level would be 250, not 200. To manually set the load bias level, the following registry key needs to be added to the farms data collectors and potential data collectors: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\LMS\ForceRegLoadBias By default, this value is set to 0 (off). To force the load bias to the one configured in the registry, set this value to 1. While it is not generally recommended or necessary to modify the load bias specified in the registry, this setting can be changed by editing the value of: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\LMS\LoadBias The default value is 200.
Server Service
Configure the Server service to represent the server role more appropriately. The performance boost realized from this server optimization setting depends on the function of the server. For example, if the server has available RAM, select the Maximize Throughput for Network Applications. Otherwise, select Minimize Memory Used. To configure the Server service on Windows NT, Terminal Server Edition servers 1. From Control Panel, double-click Network. 2. Click the Services tab. 3. Click the Server service. 4. Click Properties.
163
To configure the Server service on Windows Server 2000 and Windows Server 2003 1. From Control Panel, double-click Network and Dial-up Connections or Network Connections. 2. Right-click or select Local Area Connection and choose Properties from the Context menu. 3. Choose File and Printer Sharing for Microsoft Networks. 4. Click Properties. For more information, see Microsoft Knowledge Base article Q154075.
Level 2 Cache
For processors that use a direct-mapped L2 cache, configuring the value manually can yield a performance improvement. A direct-mapped L2 cache does not provide performance gains on Pentium II and later processors. For more information, see Microsoft Knowledge Base support articles Q228766 and Q183063. Use the following registry setting to modify a direct-mapped L2 cache: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control \Session Manager\Memory Management Name: SecondLevelDataCache Type: REG_DWORD Data: x where x is the L2 size in decimal (default: 0, which sets the cache to 256KB) Example: If the CPU has a 512KB cache, set the entry to 512 (in decimal).
164
Applications Optimization
This section describes some applications settings and optimizations that can improve performance.
Removing Unnecessary Features

To conserve ICA bandwidth, remove any unnecessary drive mappings, printers, or ports. Unless any of the following features are needed for specific applications, disable them: Disable Active Desktop on Windows Server 2000 through Terminal Services Configuration Desktop Wallpaper (In addition, remove any .bmp files in the %SystemRoot% directory to prevent users from selecting them.) Screen savers Microsoft Office FindFast Microsoft Office Assistants
Menu Refesh
You can change the menu refresh rate to expedite menu response time by modifying the following registry key: HKEY_USERS\.DEFAULT\Control Panel\Desktop Name: MenuShowDelay Type: REG_SZ Data: 10
Explorer Tips
You can disable the tips that are displayed at server startup by modifying the following registry settings: HKEY_CURRENT_USER\Software\Microsoft\Windows \CurrentVersion\Explorer\Tips Name: DisplayInitialTipWindow Type: REG_DWORD Data: 0x0 Name: Next Type: REG_DWORD Data: 0x100
165
Name: ShowIE4 Type: REG_DWORD Data: 0x0 Name: Show Type: REG_DWORD Data: 0x0
Smooth Scrolling
Many applications have smooth scrolling or other features that increase the frequency of updates sent to the client workstation. If applications exhibit poor performance, disable these features to improve performance. Two common settings are in Microsoft Excel and Microsoft Internet Explorer: Microsoft Excel 97/2000 1. Choose Tools > Options. 2. Click the Edit tab. 3. Clear the Provide feedback with Animation check box. Microsoft Internet Explorer 5 1. Choose Tools > Internet Options. 2. Click the Advanced tab. 3. Clear the Use Smooth Scrolling check box in the Browsing section. Tip While the server is in install mode (change user /install), changing application settings applies the changes to all future users. When finished, place the server back into execute mode (change user /execute).
Microsoft Internet Explorer Wizard

On the first launch of Microsoft Internet Explorer, the Internet Connection wizard requests the connection type. If you are using a LAN connection, you can bypass this dialog box by editing the default users registry settings as follows: HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Connection Wizard Name: Completed Type: REG_DWORD Data: 0x1
166
Disk Optimization
Certain registry settings can be modified to increase disk performance and throughput. This section describes enhancements such as increasing I/O locks and disabling last file access updates.
I/O Locks
The registry setting IoPageLockLimit specifies the limit of the number of bytes that can be locked for I/O operations. Because RAM is being sacrificed for increased disk performance, determine the optimal setting for this value through pilot tests. Changing this setting from the default can speed up file system activity. Use the table below as a guide for changing the registry setting.
Server RAM (MB) 64128 256 512 1024+ IoPageLockLimit (decimal) 4096 8192 16384 65536 IoPageLockLimit (hex) 1000 2000 4000 10000
Modify the registry setting as follows: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control \Session Manager\Memory Management Name: IoPageLockLimit Type: REG_DWORD Data: 0 (512KB is used) For additional information about the IoPageLockLimit registry setting, see Microsoft Knowledge Base articles Q121965 and Q102985 at http:// support.microsoft.com.
Last Access Update

The NTFS file system stores the last time a file was accessed, whether it is viewed in a directory listing, searched, or opened. In a multiuser environment, this updating can cause a small performance decrease. To disable this feature, modify the following registry setting:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
Name: NtfsDisableLastAccessUpdate Type: REG_DWORD Data: 1
167
Memory Optimization
This section describes optimal configuration of the system page file and system page table entries.
Page File
The page file is temporary storage used by the operating system to hold program data that does not fit into the physical RAM of the server. The ratio of physical memory to paged memory is the most important factor when determining the size of a page file. When configuring the page file, follow these guidelines: A proper balance between physical memory and paged memory prevents thrashing. Verify that more memory is in physical RAM than paged to disk. For optimal performance, this ratio should be approximately 3:1. Place the page file on its own disk controller or on a partition that is separate from the operating system, application, and user data files. If the page file must share a partition or disk, place it on the partition or disk with the least amount of activity. To prevent disk fragmentation of the page file, always set the page file initial size to be the maximum size. The optimal size of a page file is best determined by monitoring the server under a peak load. Stress the server while observing the size of the page file. To conserve resources, set the page file to a value slightly larger than the maximum utilized while under stress. If the server is short on physical RAM, use the page file to provide additional memory at the expense of performance.
Note For debugging purposes, create a page file on the root partition that is slightly larger than the amount of RAM installed.
Page Table Entries

You can improve the number of users that can utilize a single server by manually adjusting the page table entries (PTE) in the registry. The Windows kernel uses PTE values to allocate physical RAM between two pools of memory. By manually setting the maximum space allocated to the system PTE, the remaining space can be used to increase the number of users supported on the server. Determining the optimal configuration for PTE values is a complex task. For detailed information, see the Microsoft Knowledge Base article Q247904. A Kernel Tuning Assistant for Windows Server 2000 is also available from Microsoft.
168
User Settings Optimization

This section describes how correctly setting up users can provide additional performance gains. Where possible, modify the Default User profile to include the recommendations listed below. Tip When making changes to the Default User profile, restarting the server might be necessary before the changes take effect because the Ntuser.dat file is in use and unavailable to new users.
Windows Policies
Use system and group policies where possible, especially in an Active Directory environment. For more information about configuring policies, see Microsoft Knowledge Base articles Q161334 and Q260370.
Profiles
Users require an initial setup when logging on for the first time. This setup time is minimized by the use of roaming profiles. For more information about configuring roaming profiles, see Microsoft Knowledge Base articles Q142682 and Q154120. When you set up roaming profiles: Configure a dedicated server to host the profiles. If it is not possible to place the profiles on a dedicated server, place them on an isolated disk or partition. When using a server or drive dedicated to profiles and temp files, change the users profile and temp directories to point to the dedicated location.
You can disable locally cached profiles by changing the access of the following registry key and all subkeys to Read access only for everyone except SYSTEM (which should have Full Control): HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT \CurrentVersion\ProfileList
169
Audio Recording Optimization

One of the new features of MetaFrame Presentation Server 3.0 (with clients Version 8.0 or higher) is the ability to record sound in an ICA session. This allows users to dictate a recording in one session, and then have that data transcribed at a later date. This process is usually facilitated by third party software, such as WinScribes Internet Author and Internet Typist, used in conjunction with Philips SpeechMike devices or similar hardware. Most of the existing audio settings are optimized for playback and not recording. This entails buffering several seconds of data sent to the client to avoid drops in playback, much like when Windows Media Player or Real Player buffer data before sending it. When recording, however, a user can experience synchronization errors between what they hear and what is visible inside a session because of the queued up data in the buffer. The sections below recommend settings that reduce these delays. Note that changing these settings can cause a degradation in audio playback quality. Make these changes only if your primary use of audio is for recording. Note The settings that control SpeedScreen Multimedia Acceleration are totally separate from the settings that control the recording of audio; a user could use SpeedScreen Multimedia Acceleration for playback and optimize the settings for recording without degrading playback quality.
Setting up Audio Recording

Configuring the Server
By default, MetaFrame Presentation Server can record audio using a standard microphone. To use the Philips SpeechMike devices, however, drivers must be installed on all servers that are to have sessions that will record audio. It is recommended that the Philips drivers be installed before installing MetaFrame Presentation Server. If using WinScribes Internet Author or Internet Typist, these programs also need to be installed on the servers. Refer to the WinScribe documentation for any setup instructions. Configure published desktops or published recording applications to use legacy audio. The client connections ICA Settings Audio Quality should be set to medium or high. Medium is the default and is satisfactory for most applications. Policies can also be used to control audio recording. See the policy documentation in the MetaFrame Presentation Server Administrators Guide for more information about configuring policies.
170
Configuring the Client

The client must have an audio playback device, such as a soundcard, and an audio recording device, such as a microphone. The Philips SpeechMike devices often serve both purposes. Audio Recording works on Program Neighborhood, the Program Neighborhood Agent, and Web Interface clients, and needs to be enabled on whichever of these clients is being used. Ensure that either desktop sessions or published audio recording applications are properly configured to allow sound in the client settings. For most uses, medium audio quality is the recommended setting. Ensure that the audio security settings, available from the Connection Center or a sessions system menu, are configured to allow the recording of audio. These settings work in the same manner as the preexisting file security dialogs.
Using the Philips SpeechMike

Ensure that the drivers for the device are installed correctly on both the client and server. Make sure that the recorder works correctly on the local client. Do this by loading the recorder utility that comes with the drivers. Ensure that audio records and plays back locally. MetaFrame Presentation Server supports using the SpeechMike controls and foot pedal devices as well. Before attempting to use them in a session however, test them locally in the Philips recording utility. If everything works locally on a client device, the devices will work in an ICA session. SpeechMike controls may also have to be enabled inside the recording application in use. This is currently true for Internet Author and Internet Typist. See the applications documentation for details. Additionally, Citrix testing has experienced issues with configured USB foot pedals in Internet Author and Internet Typist. Citrix recommends that you use the default settings for these devices.
171
Optimizing Recording
If you are using MetaFrame Presentation Servers audio feature primarily for recording, several settings can be modified to improve performance. Note that making changes to these settings can cause playback quality to degrade, especially on low bandwidth, high latency connections. 1. On the client, open the Module.ini file located in %Program Files%\Citrix\ICA Client. Go to the ClientAudio section. 2. Change PlaybackDelayThresh to 1 or 2. This causes the data to be played almost immediately, rather than being queued up on the client. 3. Change NumDataBuffers to a small value such as 4 or 5. This causes fewer buffers to be allocated so less data can be queued up on the client. You can try a lower value, but network latency is usually too great to allocate enough data and you will get a lot of dropped packets on playback. These settings are intended for a standard LAN environment. The settings should work for a WAN as well, but there is a much greater likelihood that audio quality will decrease with settings this low. If this happens, the values can be increased, but this causes the buffering delay to be reintroduced.The values should be balanced based on the applications that are being run. If playback is of less importance, use the above recommendations. If playback is more important, increase the NumDataBuffers to around 10. Continue to increase this number for WAN connections until satisfied with the resulting playback quality. Citrix recommends that the NumDataBuffers value be manipulated before the PlaybackDelayThresh value when optimizing playback on high latency networks. The PlaybackDelayThresh value causes more discontinuity on the server side with respect to synchronization issues. The higher this value is set, the more likely playback will jump ahead inappropriately, causing the recording to start playing at a later spot than where it was stopped. For more information regarding the configurable settings for sound see Client Audio Mapping Virtual Driver .
172
Client Audio Mapping Virtual Driver

This section describes the configuration parameters for the Client Audio Mapping Virtual Driver and best practices for changing these settings in the Module.ini file.
NumCommandBuffers = 64
Descriptiondefines how many server-to-client commands can be buffered. Maximum Limit = 65000. Minimum Limit = 0. Setting this value to 0 causes the client to slow down or become unresponsive to the commands sent by the server. Buffers must be defined because after executing a command sent by the server, clients look in the buffer for the next command. Also, if there are no buffers, the commands sent to the client by the server might not be stored on the client and executed. Recommended Value = 64.
NumDataBuffers = 32
Descriptiondefines how many data buffers are available on the client to store the audio data sent by the server. Maximum Limit = 65000. Setting this value too high leads to memory hogging on the client, resulting in degraded performance. Minimum Limit = 0. If this value is set to 0, no data buffers are available on the client. The audio data being sent from the server to the client is not stored and eventually will not play. Recommended Value = 32. This value stores a maximum of 2048 bytes of sound data.
MaxDataBufferSize = 2048
Descriptiondefines the size of the data buffer and also how many bytes of sound data can be sent to the client from the server. Maximum Limit = 2048 bytes. Out of 2048 bytes, 10 bytes are reserved for the sound packet header while the remainder is the actual audio data that is played on the client. Minimum Limit: 1000 bytes. Recommended Value = 2048 bytes for the best sound performance on the client.
173
CommandAckThresh = 10
Descriptiondefines the number of commands that a client receives before sending an acknowledgement to the server. Maximum Limit: depends upon the NumCommandBuffers. If the NumCommandBuffers is set to 64, do not set the CommandAckThresh more than 64 because the client will not acknowledge more than 64 commands. Minimum Limit = 10. Recommended Value = 10.
DataAckThresh = 10
Descriptiondefines the number of sound packets the client receives before sending an acknowledgement to the server. Maximum Limit: depends upon the NumDataBuffers. If the NumDataBuffers is set to 32, do not set the DataAckThresh higher than 32 because the client will not acknowledge more than 32 sound data/packets. Minimum Limit: 10. Recommended Value = 10.
AckDelayThresh = 350
Descriptiondefines how many milliseconds the client waits before it sends an acknowledgement to the server for all the commands received from the server. Maximum Limit = 350. AckDelayThresh and CommandAckThresh are not interdependent. For example, if CommandAckThresh is set to 10 and AckDelayThresh is 350 but 350 milliseconds have not elapsed since the client last sent an acknowledgment but 10 commands were sent by the server to the client, the client still sends the acknowledgment. The same holds true if the 350 milliseconds passed but the server did not send 10 commands. The client sends the acknowledgement to the server without waiting for 10 commands. Minimum Limit: 350.
PlaybackDelayThresh = 250
Descriptiondefines how many milliseconds the client waits before it sends an acknowledgement to the server for all the sound data/packets received from the server. Maximum Limit = 250. PlaybackDelayThresh and DataAckThresh are not interdependent. Minimum Limit = 250.
174
ICA Priority Packet Tagging

ICA Priority Packet Tagging is a feature that identifies and tags ICA data based on the virtual channel from which the data originated. This tagging allows a more granular Quality of Service (QoS) solution by providing the ability to prioritize ICA sessions based on the virtual channel data being transmitted. This section describes virtual channel priorities and how ICA data is tagged with these priorities when sent over an Ethernet network using TCP/IP.
Virtual Channel Priorities

ICA Priority Packet Tagging provides the ability to prioritize ICA sessions based on the virtual channel data being transmitted. TCP/IP must be the protocol used. This is accomplished by associating each virtual channel with a two-bit priority. This two-bit priority is included as part of each ICA framing header. The two priority bits combine to form four priority values: 00 (0) High Priority 01 (1) Medium Priority 10 (2) Low Priority 11 (3) Background Priority
Each virtual channel is assigned one of these priority values. The default virtual channel priorities are as follows:
Virtual Channel CTXTW CTXTWI CTXCLIP CTXCAM CTXLIC CTXVFM CTXPN CTXCCM CTXCDM CTXCM CTXLPT Default Priority 0 0 1 1 1 1 1 2 2 3 3 Description Remote windows screen update data (Thinwire) Seamless windows screen update data (Thinwire) Clipboard Client audio mapping License management Video server video (that is, not Thinwire video) Program Neighborhood Client COM port mapping Client drive mapping Client management (Auto Client Update) Printer mapping for non-spooling clients (that is, WinTerms)
175
Virtual Channel CTXLPT2 CTXCOM1 CTXCOM2 CTXCPM OEMOEM OEMOEM2
Default Priority 3 3 3 3 3 3
Description Printer mapping for non-spooling clients (that is, WinTerms) Printer mapping for non-spooling clients (that is, WinTerms) Printer mapping for non-spooling clients (that is, WinTerms) Printer mapping for spooling clients Used by OEMs Used by OEMs
The priority settings for all virtual channels are stored in the following Registry key: [HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\icawd\Priority] (REG_MULTI_SZ) This key contains one line for each virtual channel in the format: VirtualChannelName,Priority VirtualChannelName is the standard virtual channel abbreviation as specified in the above table. VirtualChannelName must be seven characters, so trailing spaces must be added before the comma when necessary. Priority is one of the following numeric priority values: 0, 1, 2, 3. The Thinwire virtual channels (CTXTW and CTXTWI) are the only high priority virtual channels by default, thus ensuring that time-sensitive user interface data is sent ahead of all other data.
176
ICA Data Transmission

The implementation of ICA Priority Packet Tagging is best understood by examining how ICA data is packaged for transmission across an Ethernet network using TCP/IP. The following diagram depicts the flow of ICA data through each protocol layer as it is generated by the client application (or server) and packaged for delivery to a server (or client application) over a TCP/IP network:
ICA data travels through the same protocol layers but in the reverse direction when received at the destination (client or server). All ICA protocol layers reside at the Presentation layer of the OSI networking model. The ICA protocol layers depicted in the above diagram are described further in the following sections.
177
Drivers Used with Virtual Channels

Each virtual channel has its own driver that sends data to the WinStation driver. The format of the virtual channel data is not standardized because it depends completely on the virtual channel implementation. The following drivers are also used to support virtual channel communication:
WinStation Driver
The WinStation driver receives ICA virtual channel data from multiple virtual channel drivers and packages the data for receipt by lower network layers. The WinStation driver works at the Application, Presentation, and Session layers of the OSI networking model. The WinStation driver establishes the ICA session between the client and the server, and maintains session information such as whether or not compression and encryption are turned on, and whether or not ICA Priority Packet Tagging will be used. It also encodes ICA command information and transforms input virtual channel data into ICA packets, which are placed in the WinStation drivers input buffer.
Encryption Protocol Driver

When encryption is turned on, the encryption protocol driver adds an encryption header to the output buffer data passed from the WinStation driver. All data after the encryption header is encrypted, including the compression header (if included).
Framing Protocol Driver

The framing protocol driver calculates the byte count of the output buffer and adds a framing header. In addition to the byte count, the framing header includes a twobit priority value as determined by the WinStation driver. For example, if the total byte count of the output buffer is 1320 bytes and the packet is high priority, the binary value of the framing header is as follows:
The low order and high order bytes are reversed for network transmission, and the framing header is created as follows:
178
Quality of Service Solutions

Quality of Service (QoS) solutions that take advantage of ICA Priority Packet Tagging provide QoS benefits that are more granular than prioritizing ICA traffic based only on application name or user name. This is because ICA Priority Packet Tagging provides QoS solutions with the opportunity to identify virtual channel priorities within an ICA session so that ICA sessions transmitting higher priority data are delivered first. ICA Priority Packet Tagging requires that the following considerations be addressed when used in combination with a QoS solution: TCP and IP are stream-oriented protocols. When ICA data is received by TCP and then by IP, it may be combined or broken up differently than how it was packaged by the ICA protocol drivers. The ICA output buffers are specifically limited to 1460 bytes so that they remain intact when delivered to the TCP/IP protocol stack. However, it is not guaranteed that the output buffers will remain intact. Therefore, the priority bits in the ICA framing header may not always be in the same place in the TCP segment or IP packet. This prevents QoS solutions from relying on a data offset to identify the priority bits at the TCP or IP layers. To circumvent this potential issue, QoS solutions must verify that the byte count in the header information of the TCP and IP layers matches the byte count in the first two bytes of the ICA data (when aligned correctly, these first two bytes will include the priority bits and the byte count of the ICA framing header). When the byte counts do not match, the ICA output buffers are most likely not intact within the TCP segments; therefore, the first two bits of ICA data in the IP packet should not be interpreted as priority bits. ICA Priority Packet Tagging is implemented at the Presentation layer of the OSI networking model. Most routers read data at lower layers; therefore, routers dont have access to the ICA Priority Packet Tagging information. When IP packets are sent through a router, the packets may be fragmented. If this is the case, the first packet will contain the framing header, including the priority bits and an incorrect byte count (because the packet was fragmented). Subsequent packet fragments will not have a framing header and thus will not include the priority bits (or a byte count). Therefore, if QoS solutions receive the ICA traffic after fragmentation by a router, not all IP packets will have the priority bits. Verifying the byte counts between the IP layer and the ICA framing header as described above ensures that the priority bits are interpreted correctly.
179
TCP requires an acknowledgement of receipt for each TCP segment in the TCP buffer before sending additional segments. This prevents QoS solutions from being able to implement functionality that holds back printing ICA data and forwards on Thinwire ICA data within a single ICA stream (which is also a single TCP stream). TCP reports a failure of receipt for the TCP segments being held because they were not received by the destination in a timely manner. QoS solutions must implement ICA Priority Packet Tagging in such a way that the transmission speed of each TCP stream is dynamically altered based on the priority bits of the ICA data being transmitted, instead of attempting to hold back individual pieces of data within the stream. Program Neighborhood clients and MetaFrame servers running a software version released prior to MetaFrame 1.8, Feature Release 1 will establish ICA sessions without ICA Priority Packet Tagging. Unless QoS solutions detect the Citrix software version in use by the ICA session, all ICA traffic in these sessions, is treated as high priority (priority 0) because the two bits that are now used for ICA Priority Packet Tagging were not used (and thus set to 0) in previous versions of MetaFrame.
Tip Packeteer, Inc., a provider of application performance infrastructure systems, has released a QoS solution that takes advantage of ICA Priority Packet Tagging. Packeteers PacketWise 5.1 release is incorporated in the PacketShaper and AppVantage product lines. For additional information about Packeteers QoS solutions, visit www.packeteer.com.
180
Load Balancing Servers Running the Web Interface

This section describes a sample scenario that demonstrates how to use a hardware load balancer to perform round-robin HTTP redirection to distribute connections between two servers running the Web Interface. Note The following scenario involves the Citrix products MetaFrame XP and NFuse.
Scenario Configuration and Topology

The sample scenario is configured as follows: The load balancer is a Cisco LocalDirector 416, with software Version 4.1.2. The servers running the Web Interface are Compaq DL320s running Microsoft Windows Server 2000 with Service Pack 2. The load balancer is configured to listen for HTTP connection requests on ports 80, 81, and 82. Ports 81 and 82 are configured to direct traffic straight to the first and second NFuse servers, and port 80 is configured to perform the load balancing. Clients are directed to make their connections to http://nfuse.inter.net/Citrix/NFuse17. When HTTP traffic arrives on port 80 on the load balancer, a load balancing decision is made and an HTTP redirect is returned to the client browser specifying an alternate port for the connection. When this occurs and the client is using the Web Interface page, the data is always transmitted to the same server running the Web Interface and session state data is not lost. A public network in which the clients reside A demilitarized zone (DMZ) containing the server running the Web Interface An internal network in which the MetaFrame XP server farm resides
The network topology consists of:
The DMZ is situated between two firewalls, with the first network interface card (NIC) of the load balancer connected directly into the DMZ. The servers running the Web Interface are connected to the load balancers second NIC. This configuration is illustrated in the figure below.
181
The machines in the DMZ all have static IP addresses in the network 192.168.1.0/ 255.255.255.0. The client-facing firewall presents an external IP for the load balancer (172.27.19.4 in this example), which is converted to the real load balancer IP address (192.168.1.4) after firewall traversal. Clients on the public network can resolve the external load balancer IP address from the name nFuse.inter.net. The machines on the internal network are in the range 192.168.2.0/ 255.255.255.0. On the internal network, there is a MetaFrame XP Feature Release 2 server, named mf1, with a static IP address of 192.168.2.10, running the Citrix XML Service (shared with IIS) on port 80. The servers running the Web Interface, Nfuse1 and Nfuse2, are configured with the static IP addresses 192.168.1.10 and 192.168.1.11, respectively. The Web Interface configuration on each server is identical.
182
Setting Up the Sample Scenario

Step 1 Configure the Load Balancer
The load balancer is configured to present three virtual IP:port combinations to the real world: 192.168.1.4:80, 192.168.1.4:81, and 192.168.1.4:82 On the Cisco LocalDirector 416, use the following values: virtual 192.168.1.4:80:0:tcp is virtual 192.168.1.4:81:0:tcp is virtual 192.168.1.4:82:0:tcp is
Step 2 Create URL Mappings for Redirection

Two URL mappings are created for performing the HTTP redirection: http://nfuse.inter.net:81/%p http://nfuse.inter.net:82/%p url nfuse1 http://nfuse.inter.net:81/%p 302 url nfuse2 http://nfuse.inter.net:82/%p 302
On the Cisco LocalDirector 416, use the following values:
Step 3 Bind URLs to Virtual Server

The URLs are then bound to the virtual server 192.168.1.4:80. On the Cisco LocalDirector 416, use the following values: bind 192.168.1.4:80:0:tcp nfuse1 bind 192.168.1.4:80:0:tcp nfuse2
Step 4 Bind Ports on Virtual Server to Actual IP Addresses

Ports 81 and 82 of the virtual server are bound to the real NFuse Classic server IP addresses and Web server ports: 192.168.1.4:81 => 192.168.1.10:80 192.168.1.4:82 => 192.168.1.11:80 On the Cisco LocalDirector 416, use the following values: bind 192.168.1.4:81:0:tcp 192.168.1.10:80:0:tcp bind 192.168.1.4:82:0:tcp 192.168.1.11:80:0:tcp
183
Step 5 Ensure Valid URLs

Links are then created between the HTTP redirection URLs and the virtual Web Interface servers so that the load balancer takes the URL out of service when the respective server running the Web Interface is out of service: http://nfuse.inter.net:81/%p => 192.168.1.4:81 http://nfuse.inter.net:82/%p => 192.168.1.4:82 On the Cisco LocalDirector 416, use the following values: link nfuse1 192.168.1.4:81:0:tcp link nfuse2 192.168.1.4:82:0:tcp
Step 6 Ensure Continuity of Service

The final step is to ensure that clients that have already been load balanced to one of the NFuse servers continue to function if the server they are using fails. To do this, the servers running the Web Interface specify 192.168.1.4:80 as their backup server. On the Cisco LocalDirector 416, use the following values: backup 192.168.1.4:81:0:tcp 192.168.1.4:80:0:tcp backup 192.168.1.4:82:0:tcp 192.168.1.4:80:0:tcp
With the preceding configuration and the client-facing firewall set to allow traffic to 192.168.1.4 on ports 80, 81, and 82, the load balancing solution worked when tested.
CHAPTER 8
Security Issues and Guidelines
This chapter includes information about securing your server farm. The information in this chapter is intended to supplement the information about securing MetaFrame Presentation Server environments found in the following documents: The Secure Gateway for MetaFrame Administrators Guide The MetaFrame Presentation Server Administrators Guide The Web Interface Administrators Guide The Administrators Guides for the MetaFrame Presentation Server Clients
Securing Your Servers

This section discusses steps you can take to secure your farms servers.
Configuring Administrator Accounts

Limit administrator accounts to users who are members of the Windows network administrators group. This group is presumed to be well controlled and to have administrative access to network resources, including print servers. To lessen the risk of compromising the domain administrator account, use a global group of limited user accounts to administer servers in the farm. To configure administrator accounts using a global group 1. In the domain where you manage user accounts, create a domain global group. In this example, this group is named MPSAdmins. 2. Add the user accounts of people who need MetaFrame administrator privileges to the MPSAdmins global group. 3. Add the MPSAdmins global group to each servers local Administrators group. 4. In the Presentation Server Console, add the MPSAdmins global group to the list of MetaFrame administrators.
5. When a new user account requires MetaFrame administrator privileges, add the account to the MPSAdmins global group. When MetaFrame administrators are members of an Active Directory domain, use a domain local group for farms within a single Active Directory domain or a universal group for farms that span a forest.
Configuring the SNMP Service

The SNMP service on Windows has read/write privileges by default. If you use Network Manager or other SNMP management software for monitoring only the server (not remote management), Citrix recommends that the privileges be read only. If no SNMP consoles are used, remove the SNMP service from the server. Note You must give read/create permissions to the SNMP service for administrative tasks, such as logoff and disconnect through Network Manager. You can configure the SNMP community and designated management consoles to prevent unauthorized access. Configure SNMP agents to accept traps from known SNMP consoles only. Microsoft has released security bulletins for SNMP security risks on both Windows NT 4.0 (MS00-095, MS02-006) and Windows Server 2000 (MS00-096, MS02006). Tip Block incoming SNMP traffic from the Internet by using a firewall that prevents passage of traffic on UDP ports 161 and 162.
Other Recommended Precautions

Using NTFS Partitions
For maximum security, install MetaFrame Presentation Server only on NTFSformatted disk partitions. This ensures that the local Access databases are secured because the folder %Program Files%\Citrix\Independent Management Architecture is marked so that only system and local administrators have full control. Do not change these Access Control Lists (ACLs).
(on master page) Header Chapter 8 Security Issues and Guidelines
187
Controlling Connection Access

For increased control of access to the Terminal Server listeners, use the Citrix Connection Configuration utility (Mfcfg.exe) to remove the Everyone group from the Permissions list for each of the listeners and specify only the user groups that require access. Note On Windows Server 2003 it is no longer necessary to remove the Everyone group from the Permissions lists of the listeners.
Security Considerations for the Data Store

Users who access your farms servers do not require and should not be granted any access to the data store. When the data store connection is a direct one (that is, no intermediary server is used) , all of the servers in the server farm share a single user account and password for accessing the data store. Select a password that is not easy to deduce. Keep the user name and password secure and give it to MetaFrame administrators only for the purposes of installing MetaFrame Presentation Server. If the user account for direct mode access to the database is changed at a later time, the Citrix IMA Service will fail to start on all servers configured with that account. To reconfigure the Citrix IMA Service password, use the dsmaint config command on each affected server. For information about the dsmaint config command, see the MetaFrame Presentation Server Administrators Guide. Citrix recommendations for securing the data store vary depending on the database you use for the data store. The following sections discuss security measures to consider for each of the database products supported by MetaFrame Presentation Server.
Microsoft Access
For an Access data store, the default user name is citrix and the password is citrix. If users have access to the data store server, change the password using dsmaint config and keep the information in a safe place. Important Be sure to create a backup of your data store before using dsmaint config to change the password on your data store.
188
Microsoft SQL Server

The user account that is used to access the data store on Microsoft SQL Server has public and db_owner roles on the server and database. System administrator account credentials are not needed for data store access; do not use a system administrator account because this poses an inherent security risk. If the Microsoft SQL Server is configured for mixed mode security (you can use either Microsoft SQL Server authentication or Windows NT authentication), you may want to create a Microsoft SQL Server user account for the sole purpose of accessing the data store. Because this Microsoft SQL Server user account would access only the data store, there is no risk of compromising a Windows domain if the users password is compromised. Tip For high security environments, Citrix recommends using only Windows NT authentication. For tighter security, you can change the user accounts permission to db_reader and db_writer after the initial installation of the database with db_owner permission. Important Changing the user accounts permission from db_owner may cause problems installing future service packs or feature releases for MetaFrame Presentation Server. Be sure to change the account permission back to db_owner before installing a service pack or feature release for MetaFrame Presentation Server.
Microsoft SQL Desktop Edition

Windows NT Authentication is supported for the Microsoft SQL Server Desktop Edition (MSDE) database. For security reasons, Microsoft SQL Server authentication is not supported. For further information, consult Microsoft documentation. The user name and password typically is the local system Administrator account. If users have access to the data store server, change the password using dsmaint config and keep the information in a safe place.
Oracle
If the data store is hosted on Oracle, give the Oracle user account that is used for the MetaFrame Presentation Server farm connect and resource permissions only. System administrator (system or sys) account permissions are not needed for data store access.
Chapter 8 Security Issues and Guidelines
189
IBM DB2
If the data store is hosted on IBM DB2, give the DB2 user account that is used for the MetaFrame Presentation Server farm the following permissions: Connect database Create tables Register functions to execute to database managers process Create schemas implicity
System administrator (DB2Admin) account permissions are not needed for data store access.
Network Security Considerations

Servers and the farms data store should reside on networks that are secure from network packet capturing or sniffing. In some instances, including the following, server-to-server communication is in clear text: Communication between the Presentation Server Console and the member servers over TCP port 2513, by default Communication between the member servers and the data collectors over TCP port 2512, by default Note You can use the imaport utility to change the IMA communication ports to decrease security risks. Communication between the member servers and the data store through ODBC
Microsoft SQL Server communication is secure when the multi-protocol encryption option is configured correctly on both the Microsoft SQL Server and the clients. For more information about enabling multi-protocol encryption, consult the Microsoft SQL Server documentation.
190
Securing Your Network against Denial of Service Attacks

Denial of service (DoS) attacks saturate networks and servers with useless calls for information. Attackers use multiple sites to make distributed attacks on one or more networks, servers, or Web sites. Servers subjected to this sort of jamming either become unresponsive or too busy to be of use when a network becomes flooded. Not only is the network compromised for communication, it also becomes unavailable as a tool for tracing the attacks. See the Microsoft Web site for recommendations for fixing registry settings to make your networks and servers less prone to network DoS attacks. Try a keyword search using Security Considerations for Network Attacks to see this information. Microsoft suggests changing the following registry settings to help secure your network against DoS attacks: SynAttackProtect TcpMaxHalfOpen TcpMaxHalfRetried Enable PMTUDiscovery NoNameReleaseOnDemand EnableDeadGWDetect KeepAliveTime PerformRouterDiscovery EnableICMPRedirects
Securing the Presentation Server Console

The console is a Java application that can be run on your farms servers. Run the console only in environments where packet sniffing cannot occur. To run the console on a remote server 1. Make a secure connection from a client to a server. 2. Launch the console in the ICA session. 3. In the Log On to MetaFrame Farm dialog box, select the server on which the ICA session is running. Ensure that only MetaFrame administrators have access to the console. You can set NTFS permissions so that non-administrators do not have Execute permission for the console executable (Ctxload.exe).
191
Securing the Web Console

The Web Console relies on IIS security for logon authentication. The Citrix Web Console allows authentication only with accounts that are recognized by the local IIS server and that are also designated as MetaFrame administrators. Local accounts work if the Web Console is run on a computer running MetaFrame Presentation Server. Windows NT and Active Directory domain accounts work if the Citrix Web Console server is a member of the domain or trusts the domain. To ensure the security of credentials when logging off from the Citrix Web Console, close the Web browser to log off from the session. IIS causes every packet passed between client and server to contain the cached credentials. This could compromise security. Citrix recommends enabling SSL encryption on Citrix Web Console connections, especially for connections made across any public network. To set up your IIS server for SSL encryption 1. Set up your IIS server with an SSL certificate. 2. Open the Internet Services Manager and go to Default Web Site\Citrix\Webconsole\WebConsoleApp. 3. Right-click WebconsoleApp and select Properties. 4. In the Properties dialog box, select Directory Security. 5. In the Secure Communications section, click Edit. 6. Select Require secure channel (SSL). 7. Optionally, select Require 128-bit encryption (for this option, install the highencryption pack available for download at http://www.microsoft.com). By default, the Citrix Web Console detects if a connection uses SSL and allows you to reconnect with SSL or to continue with no encryption. Requiring encryption functionality at a higher level than WebConsoleApp prevents this page from being displayed if you connect without encryption. The error message Page cannot be displayed is shown instead. Important The Citrix Web Console does not support Netscape or non-Windows versions of Internet Explorer. Use Internet Explorer 4.0 or later on a Windows platform. Running the Citrix Web Console on an unsupported platform can result in security risks.
192
Securing Client Communication

Depending on your MetaFrame environment, several features included with MetaFrame Presentation Server allow you to further secure communications between clients and servers. MetaFrame Presentation Server includes support for ICA encryption, which uses RSAs RC5 encryption, between servers and clients. Support for open standards technology was added with the release of MetaFrame XP Feature Release 1. Feature Release 1 added Citrix SSL Relay, which uses standard Secure Sockets Layer (SSL) encryption between servers and clients. MetaFrame XP Feature Release 2 and later includes the Secure Gateway for MetaFrame. The Secure Gateway provides an SSL/TLS Internet gateway between servers and clients located on the Internet. For more information about setting encryption, see the Secure Gateway for MetaFrame Administrators Guide, the MetaFrame Presentation Server Administrators Guide, and the Administrators Guides for the clients.
Securing Web Interface Communication

When using the Web Interface, you can put in place the following to secure clientto-server communication: Instruct users to connect to the Web Interface pages using HTTPS (secure HTTP). IIS must have an SSL certificate installed to establish a secure HTTP connection. Configure the Web Interface ticketing feature to further secure the direct communication between the clients and the servers. Configure the Web Interface to use SSL Relay for encryption between the Web server running the Web Interface and the servers. If you are configuring SSL Relay on a server with a static IP address, set the following registry key to the fully qualified domain name (FQDN) of the server: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ Tcpip\Parameters\Domain Tip To ensure that only ICA connections using SSL (typically port 443) are allowed through a firewall, block port 1494.
193
Web Interface Console Security

You manage and configure the Web Interface using the Web-based Web Interface Console. The changes you make using this utility modify the WebInterface.conf file located in Inetpub\wwwroot\Citrix\MetaFrame\conf. The Web Interface Console can be used to modify virtually all aspects of the Web Interface configuration. Users need administrative access to the system to use this utility. This utility does not offer an option for logging off. User credentials are cached and administrators are not logged off until they close their browsers. Citrix recommends that administrators close their Web browsers after using the utility to prevent access by users who do not have rights to administer the system. Security can be tightened by restricting access to the Web Interface Console. This can be done by setting IP Address and Domain Name Restrictions for the Citrix/MetaFrame/WIAdmin folder using Internet Services Manager.
Disabling Pass-Through Authentication

If your network does not have a mechanism to automatically log off inactive users, you may want to disable pass-through authentication to prevent unauthorized access to your server farm. To disable pass-through authentication 1. In Program Neighborhood, choose Tools > ICA Settings. 2. Clear the check box for the Pass-Through Authentication option. 3. Delete the following files from the client files folder to disable the feature and prevent a user from enabling it again in the client: Ssoncom.exe Ssonstub.dll Ssonsvr.exe
194
To disable pass-through authentication in Program Neighborhood Agent 1. Uninstall the client from Add/Remove programs. 2. Reinstall the Program Neighborhood Agent and ensure that you do not enable Pass-Through Authentication when prompted during the install. 3. Delete the following files from the client files folder to disable the feature and prevent a user from enabling it again in the client: Ssoncom.exe Ssonstub.dll Ssonsvr.exe
4. Use the Program Neighborhood Agent Console or edit the Config.xml file to disable Pass-Through Authentication under authentication options.
Configuring Proxy/Firewall Integration

Securing Client Connections through a Proxy/Firewall
This section covers recommended configurations for clients connecting through a firewall with SOCKS support or Secure Proxy connections. It assumes that the firewall or Secure Proxy server is configured according to the servers documentation and recommended configurations. For the purpose of this section, the default ports are used for each component of the firewall/proxy policy configuration. The typical ports are as follows: ICA Port: 1494 Common Gateway Protocol: 2598 SOCKS (v4 or v5): 1080 Web Proxy: 80 and/or 8080 Secure Proxy: 443 and/or 563 Note Some Web proxy configurations may use port 3128 as the default Web proxy port.
195
NTLM Support
Windows NT Lan Manager (NTLM) authentication support was added starting with client Version 7.00.14874. Prior to Version 7.00.14874, only SOCKSV5 and Secure Web Proxy authentication were supported, both of which use clear-text (basic authentication) to transmit the password information. NTLM authentication is a Microsoft proprietary method, that is more secure than basic authentication and does not use clear text to transmit password information. It is supported with Microsoft Proxy Server 2.0 and Microsoft ISA server. NTLM is a challenge/ response process where the server challenges the client to encrypt a random number with the client's password hash, while the server sends the same challenge to the domain controller along with the client's response. The domain controller decides the authenticity of the request.
Proxy ICA/INI File Parameters

If clients are connecting to the server farm through a proxy server, you must add the following parameters to the users .ini files (located in the %userprofile%\Application Data\ICA Client\APPSRV.INI file) or ICA files (including the Web Interface and Citrix Program Neighborhood Template.ica) on the client device. Each parameter is defined later in this section. Add the parameters to the [WFCLIENT] section of the .ini or .ica file or in the [<APPLICATION>] section only if the DoNotUseDefaultCSL=ON parameter is set in the same section.
INI File Parameters for Client Version 6.20.986

ICASOCKSProtocolVersion={-1|0|4|5} ICASOCKSProxyHost=FQDN Proxy Address or IP Address ICASOCKSProxyPortNumber=Proxy Port ICASOCKSrfc1929UserName=SOCKSv5 User Name ICASOCKSrfc1929Password=SOCKSv5 User Name Password ICASOCKSTimeout=Time in milliseconds after the client waits for initial response from the proxy server
196
INI File Parameters for Client Version 6.30.1050

Tip The 6.30.1050 Version of the client responds to the 6.20.986 parameters for backward compatibility. ProxyType={None|Auto|Socks|SocksV4|SocksV5|Secure|Script} ProxyHost=Proxy Address:Proxy Port or IP Address:Proxy Port ProxyBypassList=Domain names/IP Addresses that the Proxy Server will ignore at connection time ProxyAutoConfigURL=Address of Http server path of Auto-Configuration File ProxyUsername=SOCKSv5/Secure Proxy Username ProxyPassword=SOCKSv5/Secure Proxy Password ProxyTimeout=Time in milliseconds after the client waits for initial response from the proxy server; minimum value is 1000
Definitions of the Parameters

ProxyType. Determines the type of connection used by the client device. None the client always uses a direct connection to the server; there is no connection to the proxy/firewall server Auto uses the client devices Web browser settings (Microsoft Internet Explorer 4.x or later, Netscape Navigator 4.76 or later) SOCKS creates a SOCKS connection to the server and auto-detects the SOCKS version number used by the proxy/firewall SOCKS V4 creates SOCKS Version 4 connections SOCKS V5 creates SOCKS Version 5 connections Secure connects through a secure tunnel protocol; usually a high encryption or SSL/TLS connection. You must configure the Citrix SSL/TLS Relay or use Secure Gateway for MetaFrame Presentation Server. Citrix recommends that you use the SSL/TLS+HTTP connection protocol or use TCP/IP+HTTP and set the encryption to 128-bit. Script uses the JavaScript Proxy Auto-Configuration file (*.PAC) or the Microsoft Internet Explorer Internet Settings file (*.INS) to configure the proxy connection set in the mentioned formats. Set the ProxyType to Auto and use the clients Web browser preferences for auto-configuration scripts. The path to the file is set in the ProxyAutoConfigURL parameter.
197
ProxyHost. Includes the address of the proxy host and port number. To set the IP address of the proxy server or to use its fully qualified domain name (FQDN), enter the proxy/firewall port number at the end of the address using the following sample formats: 192.168.0.1:8080 or proxy.citrix.com:1080. ProxyBypassList. Allows you to specify domain names that should be ignored during a proxy connection. Use the ProxyBypassList setting to connect the client to servers in the same subnet or network without using proxy or firewall servers. For example, a client device may reside in the same domain (corp.company.com) as your farms servers. In this case, you can set the ProxyBypassList parameter to *.corp.company.com *.partner.company.com instead of configuring each connection for direct connections. Setting the parameter to this value configures the client to ignore any proxy servers when connecting to these domains. Use a semicolon or a comma to separate entries if adding multiple domains. ProxyAutoConfigURL. Allows you to include an HTTP URL to a JavaScript Proxy Auto-Configuration file (*.PAC) or the Microsoft Internet Explorer Internet Settings file (*.INS). This setting is used when an administrator wants to centralize proxy or firewall server-client configuration by using a script file. The script file can be either a JavaScript PAC file or Microsoft Internet Explorer INS file. For information about creating these files, follow the links below: MSDN Article on PAC Files: http://www.microsoft.com/mind/0599/faq/faq0599.asp Internet Explorer Administration Kit Article: http://www.microsoft.com/windows/ieak/techinfo/deploy/60/en/ default.asp?URL=/windows/ieak/techinfo/deploy/60/en/autodis.htm ProxyUsername/ProxyPassword. Location to configure the SOCKS 5 or Secure Proxy authentication credentials. If the ProxyUsername/ProxyPassword parameters are not set and the proxy or firewall connects to a server configured for SOCKS 5 or Secure Proxy with authentication, the user is prompted for credentials. The user credentials are for proxy authentication only and may not be the same as the users domain or network credentials. When the ProxyUsername/ProxyPassword parameters are set, the client passes the users credentials to the proxy server.
198
Important On any SOCKS 5 or Secure Proxy server configured to require authentication, the user name and password are passed in clear text. Citrix recommends that you do not set these parameters if credentials are going to be passed through a public network such as the Internet. Even if the ICA connection is set to use SSL/TLS+HTTP, the credential packets are sent before any secured tunnel is established. Note that this is not true for NTLM authentication, which is supported by clients starting with Version 7.00.14874 ProxyTimeout. The time in milliseconds after the client waits for initial response from the proxy server
Program Neighborhood and Proxy/Firewall Connections

When using Program Neighborhood, the following parameters can be set from the Custom Connection Settings > Connection Properties > Application Set settings interface. In the Server Location dialog box, click Firewalls to set the following parameters: Use Web browser proxy settings sets the ProxyType parameter to a value of Auto.
None (direct connection) sets the ProxyType parameter to a value of None.
SOCKS sets the ProxyType parameter to a value of SOCKS. To specify a version number for SOCKS, edit the users Appsrv.ini file and change the value for the ProxyType to the correct version parameter. You must add the proxy address and port fields to this setting. Secure sets the ProxyType parameter to a value of Secure. You must specify the proxy address and port fields. Doing so sets the ProxyHost parameter. Note For more information, see the Client for 32-bit Windows Administrators Guide.
199
Recommended Server and Client Configurations

Many proxy servers are configured to permit Web proxy connections only to standard ports, typically ports 443 and 80. Client proxy connections use destination ports based on the type of connection indicated in the ICA connection properties. For example, an ICA connection configured to use TCP/IP with a proxy server will attempt to proxy to port 1494 on the computer running MetaFrame Presentation Server. On certain proxy servers, this connection may be rejected. Citrix recommends that you configure your farms server to run the Citrix SSL Relay Service on port 443. Configure the client to use SSL/TLS+HTTP to connect. Configuring the client to use SSL/TLS+HTTP forces it to contact the proxy server with a destination port of 443 on the computer running MetaFrame Presentation Server. This configuration allows connections through the proxy server without having to reconfigure the proxy server policy. If you do not use SSL, you will most likely need to configure your server to allow port 1494. With MetaFrame Presentation Server 3.0, you may also need to configure port 2598 for the common gateway protocol (CGP) that is used for the session reliability feature. If your proxy server is configured to allow connections only to an authorized set of IP addresses, modify the proxy server policy to include the FQDN or IP addresses of your farms servers.
200
Using Smart Cards with MetaFrame Presentation Server

This section includes information about using smart cards with MetaFrame Presentation Server. This section assumes that you set up your smart card environment properly. Before you attempt to use smart cards with MetaFrame Presentation Server, ensure that you set up the following: The users PIN and certificate are saved to the smart card Active Directory domains and Certificate Authorities are configured for smart card support The vendors smart card software tool is installed on the server The vendors smart card software tool is installed on the clients, if necessary
See the documentation from your smart card vendor for details. For more information about using smart cards with Windows Server 2000, see Microsoft Knowledge Base support articles Q313557 and Q227873. For more information about configuring Active Directory domains and Certificate Authority for smart card support, see Microsoft Knowledge Base support articles Q313274, Q257480, and Q231881. Default readers and cards supported by Microsoft are listed in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais. The minimum configuration to use smart cards in a MetaFrame Presentation Server environment requires only that the Cryptographic Service Provider (CSP) is installed on the server and that the smart card reader driver is installed on the client. This allows Program Neighborhood to function using smart cards. Program Neighborhood Agent and Web Interface both require the CSP to be installed on the client as well. Important Some GemPlus and Schlumberger smart cards may work correctly with MetaFrame Presentation Server 3.0 installed on Windows Server 2003 without installing any vendor-specific CSP software. The same is true for Windows Server 2000 and Windows XP clients.
Note The built-in Schlumberger driver requires a registry modification to allow it to function on a Windows Server 2003. Add the text SLBCSP.DLL SLBIOP.DLL; to the end of the string in this value: HKEY_LOCAL_MACHINE\Software\Citrix\CtxHook\AppInit_DLLs\SmartCard Hook\SpecialDLLSearch
201
Important Windows XP, Windows Server 2000, and Windows Server 2003 include native support for some smart card readers. To determine if the reader is supported by default, attach the reader to the client and let the operating system detect and install the drivers. If there is not an option to log on using a smart card after you restart the system, you must install the vendors software drivers. Also Windows XP, Windows Server 2000, and Windows Server 2003 have default CSPs installed for many Schlumberger and GemPlus smart cards.
Copying Smart Card User Certificates

When users log on to servers in the farm to run applications that require certificates, the certificate needs to be copied to the users personal store. Certificates are copied to the personal store when users log on if the following registry key exists on the server: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\Winlogon\Notify\ScCertProp If the registry key listed above does not exist on the server, see Microsoft Knowledge Base support articles 313557, 265087, and 281245 for additional information about copying certificates. The following procedure explains how to determine if the certificate is available in the users personal store. To determine if the certificate is available in the users personal store 1. Start Internet Explorer. 2. Click Tools and choose Internet Options. 3. Click the Certificates button on the Content tab. 4. The users certificate is listed on the Personal tab of the Certificates dialog box. Important The users certificate must be present in the personal store to use smart cards with the Program Neighborhood Agent and Web Interface. You can also copy the users certificate to the personal store by logging on locally to the server with the users smart card. Run the smart card tool on the server and register the users certificate. This procedure varies depending upon the smart card vendor tool that is installed. See the online help installed with the specific tool for details.
202
Using Smart Cards with the Web Interface and the Program Neighborhood Agent
Using smart cards with MetaFrame Presentation Server 3.0, the clients, or the Web Interface simplifies the authentication process while enhancing logon security. This section assumes that the server running the Web Interface is running Windows Server 2000 with Microsoft Internet Information Services (IIS). To use smart cards with the Web Interface, configure the IIS Web server and enable smart card authentication using the Web Interface Console. To use smart cards with the Program Neighborhood Agent, you must configure IIS to support smart card authentication. Configure IIS to have a Certificate Authority that can be set up in an Active Directory domain. For more information, see Microsofts documentation about IIS and Certificate Authorities. Note Citrix recommends that you use Active Directory if you want to use smart cards with MetaFrame Presentation Server.
Configuring IIS for Smart Card Support

To configure IIS to support smart card authentication, you must complete the following tasks. These tasks are described in more detail below. 1. Enable the Windows Directory Mapper Service. 2. Install a server certificate. 3. Ensure that SSL is enabled on the server running the Web Interface. To enable the Windows Directory Mapper ServiceWindows Server 2000 1. Open the Computer Management utility by right-clicking My Computer and choosing Manage. 2. Navigate to and expand Services and Applications. 3. Navigate to and expand Internet Information Services; right-click and choose Properties. 4. Under the Internet Information Services tab, in the Master Properties box, click Edit. 5. Select Enable the Windows Directory Service Mapper on the Directory Security tab. 6. Click OK until you return to the Computer Management dialog box.
203
To enable the Windows Directory Mapper ServiceWindows Server 2003 1. Open the Computer Management utility by right-clicking My Computer and choosing Manage. 2. Navigate to and expand Services and Applications. 3. Navigate to and expand Internet Information Services; right-click the Web Sites node and choose Properties. 4. From the Directory Security tab, select Enable the Windows Directory Service Mapper. 5. Click OK until you return to the Computer Management dialog box. To install a server certificate 1. In the Computer Management utility under Internet Information Services, expand the tree until Default Web Site is displayed. 2. Right-click Default Web Site and choose Properties. 3. Click Server Certificate on the Directory Security tab to begin the Web Server Certificate wizard. Click Next. 4. Choose Create New Certificate and click Next. 5. Choose Send the request immediately to the certification authority and click Next. 6. Enter a friendly name for the certificate and click Next. Tip Use the servers FQDN for the friendly name. 7. Enter the corresponding organization and organizational unit and click Next. 8. For the Common Name, enter the FQDN of the server running the Web Interface and click Next. 9. Enter State/Province and City/Locality and click Next. 10. If the Certificate Authority is not automatically filled in, select it from the list. 11. Click Next twice and then click Finish.
204
To ensure that SSL is enabled on the server running the Web Interface 1. In the Computer Management utility under Internet Information Services, expand the tree until Default Web Site appears. 2. Right-click Default Web Site and select Properties. 3. Choose the Web Site tab and ensure that SSL Port 443 is available for SSL connections. 4. Close the Computer Management utility.
Enabling Smart Card Authentication using the Web Interface Administration Console
Complete the following tasks to configure the Web Interface to accept credentials using smart cards. 1. Display the Authentication page. 2. Select the Smart card option to allow users to authenticate to the Web Interface using a smart card. 3. In the Authentication for launching applications section, set Use smart card to log on to MetaFrame to enable smart card authentication to your servers. Choose from one of the following options: Auto. This is the default. If the user authenticated to the Web Interface using a smart card, the Web Interface attempts to authenticate using this method. Yes. The Web Interface always attempts to authenticate using smart card credentials. No. The Web Interface never attempts to authenticate using smart card credentials.
Note If Use smart card to log on to MetaFrame is set to Yes but a smart card is not available, a dialog box requesting the users to press CTRL+ALT+DEL appears. If this occurs, users must press CTRL+F1 to bypass this dialog box and then enter their user name and password to log on to a server. To test the configuration, log on to the Web Interface server (http//:<your Web Interface Server>) from a client with a smart card and launch a published application.
205
Using ActivCard Gold 2.1 with MetaFrame Presentation Server

ActivCard Gold 2.1 is not multiuser compatible until it is updated with ActivCard Service Pack 1 and a hotfix. 1. Install ActivCard CSP. 2. Install ActivCard CSP Service Pack 1. 3. Rename accsp.dll, accsp.sig, asphat32.dll and aspcom.dll in the system32 folder. 4. Contact ActivCard to receive the following private files and copy them to the system32 folder accsp.dll accsp.sig asphat32.dll aspcom.dll MFC42D.DLL MFCO42D.DLL MSVCRTD.DLL
5. At a command prompt, type regsvr32 accsp.dll to register the accsp (Activecard Card Service Provider) library. 6. Restart the computer. ActivCard Gold 2.2 and later should be fully multiuser compatible. Contact your smart card vendor for more information and to obtain the latest compatible CSP.
206
Miscellaneous Smart Card Information

Caution CSPs from Schlumberger and ActivCard do not function properly if they are both installed on the same server. However, each can be installed with the GemPlus CSP. You can use smart cards with single sign-on only on client devices running Windows XP, Windows Server 2000, and Windows Server 2003 because they are the only client operating systems that support logging on locally with a smart card. To test that a server is set up correctly for logging on with a smart card over an ICA connection, log on locally to the server using the smart card. If you can log on locally, you can log on over an ICA session. The CSP to be installed on the server depends on the type of smart card that is used. However, most readers work with different vendors smart cards. On Windows XP operating systems, Schlumberger Cryptoflex 8K cards can be used without installing additional drivers; however, Schlumberger Cryptoflex 16K cards require additional drivers. On occasion, the USB readers can stop working for various reasons. Removing and replacing the USB connector restores the reader to working order. Check Microsofts Knowledge Base support articles Q265087 and Q293507 for additional information.
207
Using Citrix Products in a Wireless LAN Environment

The findings in this section are the result of coordinated testing between Citrix and Compaq. Citrix and Compaq teamed together to test security in a wireless Local Area Network (wLAN) environment to determine and evaluate the inherent security risks associated with these types of networks. There is little physical security associated with wLANs, resulting in the possibility that the radio signals could be intercepted with malicious intent. For example, todays hackers are using tools and methods to obtain MAC addresses and channels used by internal networks.
Wireless LAN Vulnerabilities

The Wireless Encryption Privacy (WEP) relies on the RC4 encryption algorithm that uses the same key to scramble and unscramble packets. If the key management system cycles through the same set of keys in a predictable manner, determined intruders can correlate data with the keys to decipher the encryption. This intrusion technique can be successful with both 40-bit and 128-bit RC4 encryptions. Additionally, the network name and MAC addresses are broadcast in clear-text and can be easily intercepted. An intruder can then program these addresses on a personal wLAN adapter to access the network. Additionally, the Wireless Application Protocol, which is used by wireless devices to access text, has a known security hole that allows intruders to intercept decrypted data from transmission points before the data is encrypted for transmission. During a transmission, the following security protocols are used: Wireless Transport Layer Security (WTLS) - over the wLAN Secure Socket Layer (SSL) - over the wired LAN
There is a split-second of vulnerability at the gateway when the data is decrypted and then re-encrypted to switch protocols. Organizations cannot rely on the use of encryption keys and SSIDs to provide adequate security in a wLAN environment. However, using MetaFrame Presentation Server with the ICA protocol offers a number of features that protect against security vulnerabilities.
208
Citrix Architecture Security

The architecture in Citrix products provides the following security features: Pane-of-glass security. ICA protocol inherently prevents intruders from sniffing out data or code. Applications reside on a server; ICA transmits keystrokes, mouse clicks, and screen updates. Only a graphic representation of the user interface actually crosses the network. Data encryption. The ICA protocol offers built-in encryption on the client and server, adding an extra layer of protection against attempted hacking. Authentication. MetaFrame Presentation Server offers an additional layer of authentication security for role-based application access. Device loss protection. The ICA protocol allows critical data to be stored and protected on a server rather than the client, ensuring that the loss of a client device creates only a minimal security risk.
Optimizing Citrix Technology over Wireless WANS

Citrix published a white paper that provides information concerning deployment of Citrix products within wireless Wide Area Networks (wWANs). It includes information such as performance tuning techniques and advice. The white paper Optimizing Citrix Technology for Operation over Wireless Wide Area Networks is available from the Knowledge Center on the Citrix Web site www.citrix.com: http://support.citrix.com/kb/entry!default.jspa?categoryID=118&entryID=2131
209
Deploying the Java Client using the Web Interface

The MetaFrame Presentation Server Client for Java Version 6.30, available from the MetaFrame Presentation Server Components CD, runs in applet mode only. The Java Client is streamlined for use in environments where access to applications through a Web browser is required. You can configure the Web Interface to automatically download a Java Client package to the client device when users launch applications. Use the Web Interface Administration Console (on the ICA Client Deployment page) to specify which Java Client features to deploy. To make an ICA connection using SSL/TLS, select the SSL/TLS component. If you select SSL/TLS, the Java Client package that the Web Interface deploys will contain built-in certificates for a number of Certificate Authorities. See the MetaFrame Presentation Server Client for Java Administrators Guide for a full list of built-in certificates. If the environment already has server certificates from one of these Certificate Authorities, the Java Client already includes details of the necessary root certificate to allow it to verify the authenticity of the server. However, if the certificate is not one of those included in the built-in list of certificates used by the Java Client (for example, if your organization has its own certificate authority), you must configure the Web Interface so that it passes the correct root certificate to the Java Client package when users launch applications.
CHAPTER 9
Troubleshooting
This chapter includes information that can help you troubleshoot issues you may encounter with MetaFrame Presentation Server and its components.
Troubleshooting the IMA Service

The IMA Service is a core component of MetaFrame Presentation Server and runs on all servers in a server farm. The solutions presented in this section can help resolve many IMA issues.
IMA Service Fails to Start

The following guidelines and recommendations can be useful when the IMA Service fails to start: If the Service Control Manager reports that the IMA Service could not be started, but the service eventually starts, ignore this message. The Service Control Manager has a time-out of six minutes. The IMA Service can take longer than six minutes to start when the load on the database exceeds the capabilities of the database hardware or when the network is experiencing high latency. Examine the following registry setting: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\ Runtime\CurrentlyLoadingPlugin If the value is blank, the IMA Service could not connect to the data store or the local host cache is missing or corrupted. If a value exists, the IMA Service made a connection to the data store. The value displayed is the name of the subsystem that failed to load. For additional information about subsystem troubleshooting, see IMA Service Logging on page 213.
If you are connecting directly to the data store, verify that ODBC connectivity exists. For more information, see ODBC Connection Fails on page 213. If you are connecting to the data store through an intermediary server, verify that the IMA Service is running on the server that is connecting directly to the data store. Review the entries in the event log for the IMA Service error code that is returned. Verify that the Spooler service is started in the System context rather than for a user. If you see an IMA Service Failed message (with error code 2147483649) when restarting a server, the local system account may be missing a \temp directory. Change the IMA Service startup account to the local administrator. If the IMA Service starts under the local administrators account, check for a missing temp directory. Switch the service back to the local system account and try manually creating the temp directory %systemroot%\temp. Verify that both the TMP and TEMP environment variables point to this directory. For more information, see Microsoft article Q251254 at http://support.microsoft.com/ support/.
IMA Service Fails to Stop

The SMS Netmon2 client utility is not supported on servers running MetaFrame Presentation Server. The IMA Service fails to stop when running on a server that has this utility installed. Uninstall the Netmon2 client when installing MetaFrame Presentation Server on your server.
(on master page) Header Chapter 9 Troubleshooting
213
IMA Service Logging

For advanced troubleshooting of the IMA Service, you can enable logging at the server level. Use the following procedure to enable logging for either debug output (viewed using a debug hook utility like DBGVIEW from SysInternals) or a text file. To enable server logging of IMA events 1. Modify the following registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\Tracer: Name: Log to Debugger Type: REG_DWORD Data: 0x0 (disables debug output) or 0x1 (enables debug output) Name: Log to File Type: REG_DWORD Data: 0x0 (disables file output) or 0x1 (enables file output) Name: LogFileName Type: REG_SZ Data: full path and file name of the output file
2. The HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\Tracer registry key contains a subkey for each subsystem about which information can be traced. Tracing for all subsystems is on by default, but the specific types of messages for the subsystems are off. To enable tracing for a subsystem, both the default value (specified as the first value in the key) and the message values must have a value of 1. The default value must be 1 and should never be changed. Other values within each key correspond to types of messages to log and are set to 0 by default. To enable tracing for those items, set their value to 1.
ODBC Connection Fails

If you are connecting directly to the data store, ODBC connectivity is required for proper operation of the IMA Service. If your ODBC connection fails, try the following: 1. Verify that the database server is online. 2. Verify that the name of the DSN file that the IMA Service is using is correct by looking in the registry at: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\IMA\DataSourceName 3. Attempt to connect to the database using the DSN file with an ODBC Test Utility (such as Oracle ODBC Test, DB2 Client Configuration Assistant test, or SQL Server ODBC Test).
214
4. Verify that the correct user name and password are being used for database connectivity. You can change the user name and password using the dsmaint config command. For more information, see the MetaFrame Presentation Server Administrators Guide. 5. Reinstall MDAC 2.6 Service Pack 1 or later to verify that the correct ODBC files are installed. 6. Enable ODBC Tracing for further troubleshooting. For more information, see ODBC Tracing on page 228.
Server Fails to Connect to Data Store

This error can indicate a corrupt local host cache. Before attempting the following steps, verify ODBC connectivity to the database. For more information, see ODBC Connection Fails on page 213. 1. Copy Ima.mdb to another directory for backup purposes. 2. From a command prompt, recreate the local host cache using the dsmaint recreate command. 3. Restart the server.
Permanent Storage Fails to Initialize during Installation

When this error occurs, it usually indicates that the IMA Service cannot create objects in the data store. Before attempting the following steps, verify ODBC connectivity to the database; see ODBC Connection Fails on page 213. 1. Verify that the user account for the database has permissions to create tables, stored procedures, and index objects. For Microsoft SQL Server, the permission is db_owner. For Oracle, the permission is resource. For IBM DB2, the permission is database administrator authority. 2. Verify that the system tablespace is not full on an Oracle server..
Recovering from a Failed Installation

If an installation fails, compare the list of servers in the Presentation Server Console to the list of servers returned by queryhr. Use the command queryhr -d hostID to remove any servers listed in the queryhr results that are not listed in the console, otherwise the data collector may continue to attempt to contact them. Caution Do not use the d switch on farm servers that are functioning properly. This switch removes the server from the farm and the server must then be reinstalled into the farm to regain functionality.
Chapter 9 Troubleshooting
215
Restoring an Unresponsive Server

If a member server is no longer responding to IMA requests and the IMA Service cannot be started, the server is considered to be unresponsive. You cannot use the chfarm command with an unresponsive server because the command requires connectivity to the data store. Caution The original state of the server cannot be recovered after performing the following procedure. Before using this procedure, first attempt all the other solutions in Troubleshooting the IMA Service on page 211. To rejoin an unresponsive server to the farm 1. Uninstall MetaFrame Presentation Server from the unresponsive server. 2. Remove the unresponsive server from the farm using the Presentation Server console on another server in the farm. 3. Reinstall MetaFrame Presentation Server on the unresponsive server and rejoin the farm during installation.
216
Troubleshooting Novell Directory Services Integration

This section lists troubleshooting tips and known issues that can occur when using MetaFrame Presentation Server in a Novell Directory Services (NDS) environment.
Troubleshooting Tips and Known Issues for ZENworks

If the ZENworks Dynamic Local User (DLU) policies are not being applied on some servers, check the Novell Workstation Manager component of the Novell Client, as described in the following procedure.
1. Right-click the My Network Places icon on the servers desktop and choose Properties. 2. In the Network and Dial-up Connections window, right-click Local Area Connection and choose Properties. 3. Choose Novell Workstation Manager from the components list and click Properties. 4. Verify the following settings: Workstation Manager is enabled The tree name is set to the tree that has the DLU policies applied All other options have the default settings applied
5. If you set the DLU policy in NDS to delete users after they log off (Volatile User option) and the volatile user accounts are not being deleted, ensure that the Enable Volatile User Caching option is disabled. If you are experiencing autologon problems with the ZENworks DLU feature as the Windows authentication method, try the following: 1. Make a desktop connection using an ICA Custom Connection with the Autologon feature enabled. 2. Specify User Credentials: Username a valid Distinguished Name such as .SampleUser.company Password a valid password Domain a domain that contains the NDS tree name
3. Launch the connection.
217
Known Issue: ZENworks for Desktops version 3 does not distinguish between users with the same user name, even if they are in different contexts. If the first user is still logged on when the second user logs on, the profile of the first user is utilized by the second user. Workaround: Be sure to use unique names in the tree. If your tree already includes users with the same user name, you can work around this by creating aliases.
Other Troubleshooting Tips and Known Issues

Logging on to a server can fail if you uninstall the Novell Client from the server after MetaFrame Presentation Server is installed. If this occurs, do not restart the computer running MetaFrame Presentation Server until you complete the following instructions: After uninstalling the Novell Client, you must reapply the proper settings to the registry. The following registry key contains the GINA values: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon The registry values for the default logon screen (without the Novell Client) are: GinaDLL Data: Ctxgina.dll CtxGinaDLL Data: Msgina.dll If you cannot log on to or assign rights to published applications using NDS credentials, try the following troubleshooting tips to correct the problem: Verify that NDS is enabled for the farm. To do this, right-click the farm name in the console and choose Properties. From the MetaFrame Settings tab, verify that the Novell Directory Services Preferred Tree is set correctly. Verify that you are using a valid user name, password, context, and tree name during logon by logging on from another computer using the same information. Verify that the Novell Client is configured correctly by browsing the tree and logging on from the console of the server. If the Novell Client displays an error message about an invalid user name, server, or tree, log on to the console as the same user. If you do not log on successfully, the Novell Client is not configured properly. If the client prompts you to reenter your credentials or displays an error message, click Cancel to return to the Novell logon dialog box. On the NT/ 2000 tab, view the user information:
218
If the Username field in the NT/2000 field contains a Distinguished Name (.username.context.), upgrade to Novell Client 4.81 or later. (Older Novell Clients do not parse the user name from the Distinguished Name.) If the Domain name field is blank or set to the local machine name and ZENworks DLU feature is being used, troubleshoot the Dynamic Local User policies (DLU is not functioning properly). If the Domain name field is blank or is set to the local machine name and ZENworks DLU feature is not being used, locate or create the following registry key: SyncedDomainName in HKEY_LOCAL_MACHINE\Software\Citrix\ NDS. Set the registry key value to the name of the Windows NT domain that is synchronized with the NDS tree. If the Domain name field contains the name of the NDS tree, enable NDS integration. If the Domain name field contains the name of a Windows NT domain and you are not using ZENworks DLU functionality for Windows authentication, verify that the server has a valid trust relationship between the servers domain and the users domain.
Known Issue: If you designate an NDS preferred tree but none of the servers are set to MetaFrame XP Feature Release 1 or later, MetaFrame Presentation Server prompts your users for NDS credentials but does not accept them. Workaround: Set the feature release level to Feature Release 1 or later on at least one server in the farm, remove the NDS tree name in the NDS Preferred Tree field Farm Properties > MetaFrame Settings, and then reset the Feature Release level to None. Known Issue: The session sharing feature is not supported for MetaFrame Presentation Server Client connections that are configured for NDS user credentials. Workaround: To use session sharing for custom ICA connections in Program Neighborhood, do not specify user credentials on the Login Information tab in the Properties dialog box. Known Issue: If you are connecting by dial-up ICA to a server that has the Novell Client installed, the server returns the Microsoft logon dialog box instead of the Novell logon dialog box. This occurs because the Use Default NT Authentication check box is selected by default on computers running Windows Server 2000.
219
Workaround: If you want to use Novell authentication on a server under these circumstances, clear the Use Default NT Authentication check box. To do this, from the Start menu choose Programs > Citrix > MetaFrame Presentation Server > Citrix Connection Configuration > Advanced Connection Settings. If a computer running Windows Server 2000 without Service Pack 2 is set up to use the default Windows NT authentication and a third-party authentication software such as the Novell Client is installed, the third-party logon dialog box appears instead of the default Windows logon dialog box. To resolve this problem, install Service Pack 2 for Windows Server 2000.
SQL Database Replication Troubleshooting Tips

The following general tips may be useful when attempting to replicate a data store contained in a SQL Server database. For more information about the replication process, see Replicating Data Stores Running Microsoft SQL Server on page 257. Replication fails if any servers involved in the replication are using cloned or ghosted images. Both the operating system and the SQL Server installations must be fresh. Verify that the MSSQLServer, SQLServerAgent, and MS Distributed Transaction Coordinator (MSDTC) services are started under a domain user account rather then the LocalSystem account. Use SQL Query Analyzer to issue a Begin Distributed Trans statement to verify that MSDTC is working properly. If this fails, MSDTC is not configured correctly. You may need to set up SQL Server for Mixed-mode authentication (Windows and SQL Server), which requires a restart of the SQL Server service. When troubleshooting, try reconfiguring authentication to use the SA SQL Authentication account instead of Impersonation to determine if the problem is with the trusted connections. When troubleshooting a replication use the following steps: First, attempt to clean up the old subscriptions If that fails, drop and recreate the subscription If that fails, drop and recreate the publication and the subscription As a last resort, disable replication, drop the distributed database, and then reconfigure replication
220
Resource Manager Troubleshooting Q&A

The following section answers some common troubleshooting questions related to Resource Manager. Resource Manager Summary Database Data Source Name Q: Is the Resource Manager summary database Data Source Name (DSN) case sensitive? A: The RMSummaRyDataBASE DSN is not case sensitive. Resource Manager Node Still Shows in Management Console After Uninstalling Resource Manager Q: Resource Manager was installed on a second server in my farm; after uninstalling Resource Manager from one of the servers, why does the Resource Manager icon remain in the Presentation Server Console even though the uninstallation completed without errors? A: There is at least one server in the farm set to Feature Release 3 and the Resource Manager node is available to service that server. Note The Resource Manager node can be removed from a Presentation Server Console by removing or renaming the ResourceManager.jar file found in \Program Files\Citrix\Administration\Plugins\ and restarting the Presentation Server Console. Alerts Regarding High Context Switches/Second Q: I installed Resource Manager with the default metrics configured on a server and I receive alerts about high context switches. The server seems to be functioning correctly and none of my users are complaining. Is this alert serious? A: The default metric threshold values are a baseline configuration for an administrator to tune and they are determined for a minimal server configuration. Although most metric defaults are suitable as a one size fits all solution like Processor - %Processor Time defaults, some metrics like System Context Switches / Sec need to be tuned for the environment in which they will operate.
221
Zone Elections Counter Q: What does the Zone Elections counter monitor in Resource Manager? A: The Citrix MetaFrame Zone Elections counter monitors the number of data collector elections that occurred in the servers zone since the IMA Service started. Monitoring this metric can be useful to determine whether or not excessive data collector elections are taking place. Proactive monitoring can help prevent excessive amounts of data from transmitting between zones as elections are won. This can also be tracked with the Citrix MetaFrame Zone Elections Won metric.
Error Message: [Oracle][ODBC][Ora]ORA-02074: cannot ROLLBACK in a distributed transaction Q: I am using Oracle and continually get messages about ROLLBACK of distributed transactions. What does this mean? A: Ensure that Disable MTS (Microsoft Transaction Server) support in the Oracle ODBC driver workarounds configuration is set. If the workaround is not enabled (by default on most Oracle ODBC configurations) this leads to a unique key violation that terminates the SQL transaction and the following Resource Manager server log entry: [Oracle][ODBC][Ora]ORA-02074: cannot ROLLBACK in a distributed transaction.
Error Message: Must Reparse Cursor to Change Bind Variable Datatype Q: After restarting the Resource Manager database connection server, I received an Oracle ODBC error in the Resource Manager server log stating 14 June 2003 11:32:26 - System - [Oracle][ODBC][Ora]ORA-01475: must reparse cursor to change bind variable datatype. What does this mean? A: If the above message appears in the Resource Manager server log, setting the Oracle ODBC workaround for Enable Closing Cursors can help resolve this issue.
222
Error Message: Failed to create summary database Q: What needs to be done when I attempt to create the summary database and the procedure fails with this message appearing in the Resource Manager server log? A: This summary database message informs the user that there was an error deploying the schema for the summary databasefor example, server log entry: 11 July 2002 12:26:02 - System - Failed to create summary database. The most common causes of this error are: There was a database problem while initially creating the SDB schema. For example, an Oracle database configuration such as the rollback segment is too small and non-autoextending; this can prevent successful deployment of the Resource Manager schema. Solution: Check the Oracle or SQL Server configuration settings to ensure there is enough space in the database to create the schema. Several megabytes should be enough space to create the schema. Also, check that all rollback segments are autoextending; these can be tuned after the database is created. The database user has insufficient privileges to create the schema. For example, Resource Manager may not be able to insert data into tables or create packages. Solution: Ensure that the user has rights to the database and can successfully communicate with the database server.
Multiple Duplicate Import Request Messages Q: The Resource Manager server log is showing multiple duplicate import request messages. Is the data importing correctly? A: This message appears in the Resource Manager server log when there are multiple duplicate import requests. The following message is usually observed multiple times in the server log file: 22 November 1978 00:02:10 - System - Ignoring duplicate import request for file "C:\Program Files\Citrix Resource Manager\SummaryFiles\1C2865FABC926CA" from host "XXXXXXX". This is usually because the Update Now button was activated multiple successive times or there are spurious network conditions that cause the server to request an import more than once. In these conditions, this message is normal and summary file imports will complete unaffected.
223
Trusts and User Group Access Issues

This section outlines tasks that you can perform to overcome issues or improve system performance when managing MetaFrame Presentation Server for Windows.
Forest Trusts
With Windows Active Directory forests, you can create a two-way forest trust that allows a transitive trust among all child domains in the trusted forests. However, MetaFrame Presentation Server does not support the use of this type of trust among child domains. If you require a trust between two child domains in separate forests, you must create an explicit trust between the domains. Alternatively, you can place all servers in the same domain as follows: 1. Create a Local Group in the domain. 2. Populate this Domain Local Group with Global Groups from other domains.
User Access to Terminal Servers

By default on Windows Server 2003, members of the Administrators and Remote Desktop Users groups can connect using Windows Terminal Services. The Remote Desktop Users group contains no users when it is initially created; you must manually add any users or groups who require Windows Terminal Services access. If the users are not already members of the computers local group, you must also add them. Unlike Windows Server 2000 policies, the Allow log on locally policy (a Computer local policy under User rights) no longer provides access to Terminal Service connections. For additional information, see the Windows Server 2003 online documentation.
224
Other Troubleshooting Recommendations

Below is a list of frequently encountered issues and recommendations or workarounds that may help you troubleshoot and solve them.
Program Neighborhood Agent Cannot Connect through the Secure Gateway

If a user receives the message Cannot connect to the MetaFrame server: Protocol driver error when attempting to connect to the Secure Gateway from the Program Neighborhood Agent, the most likely cause is that the client device does not have 128-bit encryption installed.
Folders Do Not Appear in Program Neighborhood

Folders that you create to organize applications in the Presentation Server Console are not related to application folders that appear in Program Neighborhood. To specify application folders for Program Neighborhood, use the Program Neighborhood Settings tab in the Properties dialog box for the published application. To set an applications Program Neighborhood folder 1. Right-click the published application in the console and choose Properties. 2. On the Program Neighborhood Settings tab, type the folder name in the Program Neighborhood Folder box.
Cannot Launch Secure Applications through Internet Explorer

If you have users connecting through a secure Web Interface page (HTTPS) and they receive an error message of ICA file not found, ensure the security settings within Internet Explorer are not set to Do not save encrypted pages to disk. To check security settings in Internet Explorer 1. Open Internet Explorer. 2. Click Tools > Internet Options. 3. Click the Advanced tab. 4. Scroll down to Security. 5. Be sure Do not save encrypted pages to disk is cleared. 6. Click OK.
225
Reducing Printing Messages in the Event Viewer

To limit the growth of the event log and to ease troubleshooting, it may be desirable to limit or disable print messages from displaying in the event viewer. This can be configured in the Control Panel by selecting the Advanced tab in the printers Properties dialog box. From this tab, the printer options can be enabled or disabled.
Importing Network Printers from Other Domains

Printers cannot be imported from a network print server when: The print server resides in a workgroup The printer is in a different domain from any servers in the server farm
To enable the printer to be imported 1. Do one of the following: Add the network print server to the same domain as the computers running MetaFrame Presentation Server Add one of the servers to the same domain as the network print server
2. Assign the printers to the Everyone group instead of to groups or users. Authenticate without credentials to receive the list of printers assigned to everyone. 3. To allow Novell users to access Microsoft print servers, you must enable the Guest account and assign Everyone or Guest access.
USB Redirection Does Not Work

MetaFrame Presentation Server supports USB printers installed on the server MetaFrame Presentation Server Clients support installed USB printers when the client platform is Windows 98, Windows XP, Windows Server 2000, or Windows Me
Other USB devices, including scanners and cameras, are not currently supported by MetaFrame Presentation Server.
226
Content Redirection Options Are Disabled when Publishing an Application

If you install and then publish applications after installing MetaFrame Presentation Server, you must update the file type associations in each servers registry. To update file type associations in a server farm 1. Open the Presentation Server Console. 2. Expand the Servers node in the left window pane. 3. Right-click a server and select Update File Types from Registry. 4. When the file type updates are complete, check the properties of the published application. The content redirection options are now enabled.
Disconnected Sessions
MetaFrame Presentation Server allows you to log Transport Driver Errors to a log file. This allows you to track any kind of Winsock errors the client receives. This is useful in troubleshooting why sessions are disconnected. To enable the logging, the following parameters must be added when launching the ICA connection with wfcrun32. The command is:
Wfcrun32 /c:0x00000040 /e:0x00100000 /logfile:<log file path> <connection name>
where 0x00000040 tells to log in Transport Driver. The 0x00100000 tells to log any Auto Client Reconnect related information. If an error is encountered, it is included in the logfile together with an error code. The error code may be a Winsock error code. Check the Microsoft Developers Network (MSDN) site for information about these codes.
MaxThreads and Session Reliability

When Session Reliability is enabled for client connections, the number of connections is limited to 150 users on a server that may be powerful enough to accept more. This is because of the ThreadsPerChild value of 150 in the httpd.conf configuration file located in the %Program Files%\Citrix\XTE\conf folder. The value is persistent but can be changed by editing the registry. In HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\XTEConfig add a DWord Value called MaxThreads. Modify the value of MaxThreads to a decimal value equal to or greater than the number of users you expect the machine to support. After the value is set, stop and restart the IMA Service or restart the machine so that your changes will take effect.
227
Collecting Information for Citrix Technical Support

This section discusses methods for collecting information that Citrix Technical Support can use for debugging purposes and for assisting you with your troubleshooting efforts.
Obtaining System Information

When troubleshooting an issue, Citrix Technical Support may request information about the state of your system. The easiest way to obtain such information is to execute winmsd, which launches the System Information tool on Windows Server 2000. From the Microsoft Management Consoles Action menu, select Save as System Information File. If necessary, you can then send the file to Citrix Technical Support.
Obtaining Installation/Uninstallation Logs

If your MetaFrame Presentation Server installation fails to complete, Citrix Technical Support will require an installation log file to troubleshoot the problem. From MetaFrame XP Feature Release 2 onward, the installation is a Windows Installer package (.msi file), and you must invoke the Windows Installer with the /l command line option to create an installation log file. Citrix recommends that if your MetaFrame Presentation Server installation does fail, you attempt a second installation using the following command line to create a log file: Msiexec /i <CD>\MF\mps.msi /l*v %SystemDrive%\msi.log Replace <CD> with the CD drive letter (for example, D:) containing the MetaFrame Presentation Server CD. If the MetaFrame Presentation Server CD was copied to a hard drive or network share, you can also replace <CD> with the full path to the CD image. The above command line creates a log file named Msi.log in the root of the system drive. Further information about the Windows Installer is available at the Microsoft Web site.
228
Capturing Presentation Server Console Debug Output

To capture debug output from the Presentation Server console, launch the console with the debugFile command line option. Citrix recommends that you create a shortcut using the following procedure: 1. Right-click on the desktop and choose New > Shortcut from the context menu. 2. The Create Shortcut wizard starts. In the Type the location of the item field type: %SystemRoot%\system32\java.exe. When prompted to Type a name for this shortcut:, type a description such as Console Debugging. 3. Right-click the new shortcut and choose Properties from the context menu. 4. On the Shortcut tab, type the following text in the Target field (because of page width constraints, the text is wrapped below but must be entered as one line): java.exe -Djava.ext.dirs="ext;%ProgramFiles%\Java\ jre1.4.1\lib\ext" jar Tool.jar -debugFile:output.log 5. Change the Start in field to %ProgramFiles%\Citrix\Administration. 6. Click Change Icon and type: %ProgramFiles%\Citrix\Administration\ctxload.exe 7. On the Layout tab, set the Screen buffer size to 9999 lines. 8. Click OK to save the shortcut. When the shortcut is launched, two windows are displayed. The first window is a command window containing the debug messages output by Java.exe. The second window is the console user interface. If the console hangs or otherwise fails, press CTRL + BREAK in the command window to view the stack trace.
ODBC Tracing
ODBC tracing information might be requested by Citrix Technical Support or the database vendor support team. The procedure to enable ODBC tracing depends on the database server software you are using. The following procedures detail how to activate ODBC tracing for Microsoft SQL Server, Oracle, and IBM DB2. Microsoft SQL Server 1. Launch the ODBC Data Source Administrator. 2. Click the Tracing tab. 3. Type a path for the log file in the Log File Path box. 4. Click Start Tracing Now to begin tracing. Click Stop Tracing Now to end tracing.
229
Oracle 1. Launch the Net8 Assistant. 2. Click Configuration > Local > Profile. 3. Choose General from the drop-down box on the right-pane. 4. Use the Tracing and Logging tabs to configure ODBC tracing as needed. IBM DB2 1. Launch the DB2 Client Configuration Assistant. 2. Click Client Settings > Diagnostics. 3. Set the Diagnostic error capture level to 4 (all errors, warnings, and information messages).
Installation Manager Debug Files

Obtain the following Installation Manager files before contacting Citrix Technical Support for Installation Manager troubleshooting questions: wfs (the package script) ael (the recorder log file) aep (the packager project file) log (the windows installer log file)
CHAPTER 10
Using MetaFrame Presentation Server with Novell Directory Services
MetaFrame Presentation Server supports Novell Directory Services (NDS) authentication to servers, published applications, and published content. This chapter explains how to use MetaFrame Presentation Server, the Web Interface, and the MetaFrame Presentation Server Clients (Version 6.20 and later) in an NDS environment. This chapter assumes that you are familiar with NDS and related Novell products. See the Novell Web site at http://www.novell.com for more information about the Novell products referred to in this document. CAUTION A number of steps in this chapter require you to edit the registry. Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.
Farm Layout and System Requirements

Using MetaFrame Presentation Server in a network environment that employs multiple directory services requires careful planning. While the server farm can contain servers that are in Windows NT or Windows Server 2000 domains and servers enabled for NDS, computers running the Novell Client and that use Dynamic Local User functionality should be members of a workgroup, not members of a domain. You must use the Dynamic Local User feature of Novell ZENworks for Desktops in this configuration. To implement MetaFrame Presentation Server in an NDS environment, designate application servers to host applications and content published only for NDS users. These servers must run Version 4.81 or later of the Novell Client for Windows NT/ Windows Server 2000 and MetaFrame Presentation Server. The following figure illustrates the required layout of a server farm in an NDS environment.
.
The following software must be installed for MetaFrame Presentation Server to successfully access NDS: On the Novell server (a server supporting NDS authentication and responding to NDS queries from clients): NDS eDirectory 8.5 for Windows or for Novell NetWare 5 with Support Pack 6 or later, or for Novell NetWare 5.1 with Support Pack 2 or later, or NetWare 6 and later. On MetaFrame Presentation Server for Windows Servers: Novell Client for Windows NT/Windows Server 2000, Version 4.81 or later Computers running MetaFrame Presentation Server 3.0 -orComputers running MetaFrame XP Feature Release 2 or 3
(on master page) Header Chapter 10 Using MetaFrame Presentation Server with Novell Directory Services
233
Important If using ZENworks Dynamic Local User function to gain access to Windows, you must install Novell ZENworks for Desktops 3 or later. If you are not using ZENworks to gain access to Windows, you must have accounts with the same user name and password in both NDS and Windows NT or Active Directory domains. To synchronize domains, perform either of the following: Manually synchronize accounts. Use third-party software such as Novells Account Management 2.1 or DirXML that can automatically synchronize accounts between NDS and Windows NT domains.
Important IP (Internet Protocol) is the only supported protocol for interaction between MetaFrame Presentation Server, NDS, and ZENworks for Desktops.
Setting Up MetaFrame Presentation Server for Use in NDS

To enable the use of MetaFrame Presentation Server in an NDS environment, complete the following tasks. 1. Decide which servers will host applications and content published for NDS users when MetaFrame Presentation Server is installed. 2. Install the Novell Client for Windows NT/Windows Server 2000, Version 4.81 or later on those servers (see Installing the Novell Client on page 234 for more information.) 3. Install MetaFrame Presentation Server and activate the required MetaFrame Presentation Server licenses. 4. Enable the Dynamic Local User policy in ZENworks for Desktops or ensure that the same user accounts and passwords exist in both NDS and Windows NT or Active Directory domains. 5. You can also enable the SyncedDomainName key on each computer running MetaFrame Presentation Server with NDS Integration. This does not require the ZENworks DLU Component. Open the Registry Editor on the MetaFrame Presentation Server. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Citrix and add a new key called NDS. On the new key, add a new SZ sub key called SyncedDomainName.
234
Set the value to the NetBIOS name of the domain with which you want to synchronize the user names. There is no need to restart the server or IMA Service. Users will synchronize the NetWare users with those of the Active Directory domain. Both users will still need to exist on the NetWare tree and the Active Directory domain. Assign MetaFrame Presentation Server administrator privileges to NDS objects. Log on to the Presentation Server Console with NDS credentials. Publish applications, desktops, or content for NDS users on computers running MetaFrame Presentation Server to which only NDS users will connect.
6. Enable NDS usage for the farm.
7. If you are using the Web Interface, enable NDS usage in the Web Interface. 8. Instruct users how to connect to published applications and content using their NDS credentials. If you are deploying the Program Neighborhood Agent, enable NDS usage in the Program Neighborhood Agent.
Installing the Novell Client

Citrix recommends installing the Novell Client and related service packs on a server before installing MetaFrame Presentation Server.
Installation on a Server without MetaFrame Presentation Server

Complete the following tasks prior to installing MetaFrame Presentation Server. 1. Install and configure the Novell Client for Windows NT/Windows Server 2000, Version 4.81 or later. Note If you choose to use ZENWorks DLU, it may be necessary to perform a custom installation of the Novell Client and add the Workstation Manager component; some clients do not install this component when performing a Typical installation. 2. Restart the server. 3. Verify that you can log on to NDS.
Chapter 10 Using MetaFrame Presentation Server with Novell Directory Services
235
If you cannot log on to NDS, you may need to add a Directory Agent (DA) location to the Novell Client. A DA is needed when the Novell server is located on a different subnet. If a DA does not exist, ensure that the Novell server and the MetaFrame server are part of the same subnet. 4. To optimize logon and browsing response times, change the order of the network providers using the following steps: a. Right-click the My Network Places icon on the servers desktop. b. Choose Properties from the short-cut menu. The Network and Dial-up Connections dialog box appears. c. Choose Advanced Settings on the Advanced menu. The Advanced Settings dialog box appears. d. On the Provider Order tab, adjust the order of the network providers so that Microsoft Windows Network is above NetWare Services. e. Click OK to close the Advanced Settings dialog box. 5. To optimize logon time, add the Windows fonts directory located in %systemroot% to the system path environment variable. 6. To suppress a MetaFrame Presentation Server setup program error message informing you that the FileSysChange parameter is invalid, complete the following steps: a. Open the System.ini file located in %systemroot%. b. In the [386Enh] section of System.ini, set the following value: FileSysChange=off c. Save and close the System.ini. The appearance of this error message causes unattended setup of MetaFrame Presentation Server to fail. Ensure that the FileSysChange parameter is set to off before running an unattended installation. 7. Install MetaFrame Presentation Server. If MetaFrame Presentation Server fails to install, complete the following steps: 1. Uninstall the Novell Client from the server. 2. Install MetaFrame Presentation Server and then install the Novell Client by following the instructions in Installation on a Server with MetaFrame Presentation Server below. If the system is working properly, you can skip to Using ZENworks to Simplify User Credentials on page 239.
236
Installation on a Server with MetaFrame Presentation Server

If MetaFrame Presentation Server is already installed on the server before you install the Novell Client, you must change the Windows registry on the server before and after you install the Novell Client. If the Novell Client being installed is Version 4.9 or later, the following steps are not required because the 4.9 client detects and follows GINA chaining. Note If the server has the IPX protocol installed along with the Novell Client, installation may fail and display a wowexec error message. To work around this issue, disable the NWLink protocol on all adapters in the server. After MetaFrame Presentation Server is installed, re-enable NWLink. If MetaFrame Presentation Server is already installed on the server, complete the following tasks. 1. Run regedt32. 2. Edit the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon 3. Double-click the GinaDLL entry located in the right-hand pane. In the String Editor dialog box that appears, replace the value Ctxgina.dll with the value Msgina.dll. 4. Install and configure the Novell Client for Windows NT/Windows Server 2000, Version 4.81 or later. 5. Do not restart when prompted by the Novell Client Setup. 6. Edit the registry entry for GinaDLL as in Step 2. In the String Editor dialog box that appears, replace the value Nwgina.dll with the value Ctxgina.dll. 7. With the key path for Winlogon still selected, choose Add Value on the Edit menu. 8. Type CTXGINADLL in the Add Value dialog box. The data type is REG_SZ.
237
9. Enter Nwgina.dll in the String Editor dialog box to assign this value to the new CTXGINADLL entry. On MetaFrame Presentation Server, Ctxgina.dll is loaded by Winlogon.exe to process the auto-logon information transmitted by clients. Ctxgina.dll can process auto-logon credentials in excess of 20 characters. For example, if Ctxgina.dll is not loaded, auto-logon user names greater than 20 characters are truncated to 20 characters by Termsrv.exe. When Ctxgina.dll acquires users auto-logon credentials, they are passed in their entirety to the installed Gina.dll file to complete the authentication process. In most cases, the installed GINA is Msgina.dll. When the Novell Client is installed, the GINA is Nwgina.dll. Note Steps 1 through 9 above are required to ensure that CTXGINA is installed on the server. CTXGINA is required for logging on automatically with user names that exceed 20 characters. 10. To optimize logon and browsing response times, change the order of the network providers using the following steps: a. Right-click My Network Places on the servers desktop. b. Choose Properties from the shortcut menu that appears. The Network and Dial-up Connections dialog box appears. c. Choose Advanced Settings on the Advanced menu. The Advanced Settings dialog box appears. d. On the Provider Order tab, adjust the order of the network providers so that Microsoft Windows Network is above NetWare Services. e. Click OK to close the Advanced Settings dialog box. 11. To optimize logon time, add the Windows fonts directory located in %systemroot% to the system path environment variable. The system is now ready for you to set up the Windows account authentication to be used to access Windows 2000 servers.
238
Windows Account Authentication

When a Novell Client is running on a computer running Windows NT or Windows Server 2000, users are required to have two accounts: one for authentication to NDS and one to gain access to Windows. You can use two different methods to allow users access to Windows: Use Novells Dynamic Local User functionality, available in Novells ZENworks for Desktop product (this is the only supported method if you are running MetaFrame XP Feature Release 1). Create user accounts with the same user name and password in both NDS and Windows NT or Active Directory domains for each user. Synchronizing the user accounts in this way allows you to integrate MetaFrame and NDS without using Novells ZENworks.
If you want to use MetaFrame in an NDS environment using ZENworks, see Using ZENworks to Simplify User Credentials below. If you want to use MetaFrame in an NDS environment without using ZENworks, see Configuration without ZENworks on page 241.
239
Using ZENworks to Simplify User Credentials

When the Novell Client is running on Windows NT or Windows Server 2000, users are normally required to enter separate sets of credentials to log on to Windows and NDS. Enabling the Dynamic Local User policy in ZENworks for Desktops eliminates this need. The following section explains how to configure the Container Package and User Package in ZENworks for Desktops to eliminate the need for users to specify two sets of credentials when connecting to MetaFrame Presentation Server. Configure the Container Package to specify the users (by container) to whom you want to apply the Dynamic Local User policy. Configure the User Package to specify how the Dynamic Local User policy is applied to those users. Note These settings are configured on the Novell server through ConsoleOne.
Configuring the Container Package

The ZENworks for Desktops Container Package searches for policies located within the tree and then applies them to the users associated with a particular container. Follow the example below to create a Container Package that searches only the local container for policies applied to users within that container. This sample configuration is useful for small companies. Complete the following tasks for containers that hold user objects requiring the Dynamic Local User policy. 1. Select a container that holds user objects. 2. On the New Object menu, choose Policy Package > Container Package. 3. Choose Define Additional Properties and click Finish. 4. On the Policies tab, enable the Search policy. 5. In the Search policies up to field, choose Object Container to search only the container in which the search policy resides. The other choices are: Root (default) - Searches the local container and any container in the direct path to the root of the tree. This is not recommended for medium to large trees. Partition - Searches the local container and any container up to the root of the partition. This method works well for large environments, but you need to specify the partition boundaries. Selected Container - Searches the container between the current container and the root of the tree that you select.
240
6. Leave the search level at the default setting of 0. 7. Click Apply, then Close. 8. On the Associations tab, choose Add and browse to the container that holds the container package you just created. 9. Click OK and then Close.
Configuring the User Package

The User Package in ZENworks for Desktops enables Dynamic Local User functionality for users who are associated with that particular package. Follow the example below to create a User Package that enables the Dynamic Local User functionality. Important If the Search Policy Package, the User Policy Package, and the user are not located in the same container, the policy is not applied to the user. 1. Choose the Organizational Unit that holds the Container Policy from above. 2. On the New Object menu, choose Policy Package > User Package. 3. Near the end of the wizard, choose Define Additional Properties and then click Finish. 4. Choose WinNT-2000 on the Policies tab. 5. Choose Enable Dynamic Local User and then choose Properties. 6. Choose Dynamic Local User at the top of the page. 7. Choose Manage Existing NT Account (if any). This changes the password and other items to match for a seamless integration. Note Novell recommends that you create a separate Dynamic Local User policy for users who have the user name Administrator if the local administrator account was not renamed. 8. Choose Use NetWare Credential. This creates a local Microsoft user who has the same user name and password as the NDS user. If this is not enabled, the Dynamic Local User feature creates a random user name and password, resulting in the loss of MetaFrame Presentation Server functionality. Do not enable Volatile User unless you have very large profiles and want to conserve disk space.
241
9. On the Not Member of tab, choose User > Add. Select the users or groups to whom you want to apply the policy. Applying the policy to users gives them rights to log on and run applications. 10. Click Apply and then OK two times to finish creating the policy. 11. If the computer running MetaFrame Presentation Server is also running Windows Server 2003, ensure that you add a Custom Group to the Policy. The Custom Group name should be Remote Desktop Users. This is the group that is granted Log On Locally to log on remotely through Windows Terminal Services.
Configuration without ZENworks

In an environment with a Novell Client running on Windows NT or Windows Server 2000, users are required to enter separate sets of credentials to log on to Windows and NDS. Using synchronized accounts between NDS and Windows NT or Active Directory domains eliminates this need. To enable MetaFrame Presentation Server to work in an NDS environment without using ZENworks, set the following registry key on all the servers that have the Novell Client installed but are not using ZENworks for Desktops Dynamic Local User functionality. Set the value to the Windows NT or Active Directory downlevel domain name containing the user accounts that match the accounts in NDS. 1. Run regedt32. 2. Edit the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix 3. With the key path for Citrix still selected, choose New Key on the Edit menu. 4. Rename the newly created key to NDS. 5. Highlight the new NDS key. 6. With the NDS key still selected, choose New String Value on the Edit menu. 7. Enter SyncedDomainName in the String Value dialog box. 8. Enter the name of the Windows domain that has the same user accounts as NDS in the String Editor dialog box to assign this value to the new SyncedDomainName entry. Note When you set this registry key, Ctxgina.dll replaces the NDS tree name that is passed from the client to the server with the string that is entered in SyncedDomainName. Ctxgina.dll then passes the credentials to Nwgina.dll, allowing the user name and password to be authenticated to NDS. The domain is then specified in SyncedDomainName.
242
Using MetaFrame Presentation Server in the NDS Environment

By default, MetaFrame Presentation Server supports only Microsoft Windows users. Follow the steps below to specify the preferred NDS tree for the farm. MetaFrame Presentation Server supports only one NDS tree in each farm. 1. Log on to the console and connect to a server configured for NDS support. 2. Right-click the farm node in the left pane of the console and choose Properties. 3. Click the MetaFrame Settings tab in the Properties dialog box. 4. Specify the tree name in the NDS Preferred Tree field and then click OK. To disable NDS support for the farm, delete the entry in the NDS Preferred Tree field and then click OK.
Assigning MetaFrame Presentation Server Administrator Privileges to NDS Objects

Follow the steps below to assign MetaFrame administrator privileges to objects such as country, organization, organization unit, group, user, or alias in an NDS tree. 1. Log on to the Presentation Server Console. 2. Right-click the MetaFrame Administrators node in the left-hand pane and choose Add MetaFrame Administrator from the menu that appears. 3. In the Add MetaFrame Administrator dialog box, open the NDS tree. Objects in the NDS tree represent container and leaf objects. 4. When prompted to log on to the tree, enter the distinguished name and password of an NDS user. 5. Select the Show Users option to display user and alias objects in this hierarchy. 6. Double-click to open container objects. Select the objects to be granted MetaFrame administrator privileges. Add at least one NDS user account that has read and write privileges. Note While it is possible to grant a MetaFrame administrator access to a context, users within the context or in contexts that are children of the granted context are also MetaFrame administrators. This is not recommended because of the difficulty of managing permissions granted to contexts. 7. Click Add. Select the level of permission and tasks you want to assign to the administrator. 8. Click Finish.
243
Logging On to the Presentation Server Console Using NDS Credentials

Follow the steps below to use NDS credentials to log on to the console to manage a server farm. 1. Launch the Presentation Server Console. 2. Enter a distinguished name in the User Name field. A fully distinguished name starts with a period and has a period between each object name up to the root of the tree. For example, user JoeX, within two container objects (the Admin organization unit within the PNQ organization) would enter .JoeX.Admin.PNQ in the User Name field. 3. Enter a password in the Password field. 4. Enter the NDS tree name in the Domain field. 5. Click OK. Note Enabling pass-through authentication to the console is not supported with NDS users.
Publishing Applications for NDS Users

Follow the steps below to publish applications on servers configured for NDS support. Only NDS users can connect to the applications you publish on these servers. 1. Log on to the console using NDS credentials. 2. From the Actions menu, choose New > Published Application. 3. Follow the instructions in the Published Application wizard. Click Help to obtain detailed help for each step. 4. On the Specify What to Publish dialog box, enter the UNC (universal naming convention) path to the application you want to publish in the Command Line field. For example, the NDS tree MYNDSTREE contains organization object MYORG, which contains NetWare volume NW50_SYS. The executable path on NW50_SYS is \APPS\OFFICE\WINWORD.EXE. The full UNC path to Winword.exe is \\MYNDSTREE\MYORG\NW50_SYS\APPS\OFFICE \WINWORD.EXE. You can leave the Working Directory field blank.
244
5. Because the Application Publishing wizard cannot access the applications icon, default icons appear in the Program Neighborhood Settings dialog box. To use the applications icon, you can copy the icon file (ending with an .ico extension) or the entire executable to a computer running MetaFrame Presentation Server that is not running the Novell Client. Click the Change Icon button to browse for the icon or executable on this other server. 6. In the Specify Servers dialog box, be sure to select only those servers running the Novell Client Version 4.81 or later. 7. In the Specify Users dialog box, select the NDS tree from the list. This enumerates the objects in the tree. Double-click container objects to open them. Choose the Show Users option to view users and alias objects in the current container. Select the desired object and click Add. You can also manually enter NDS user names. Choose Add List of Names and enter one or more NDS account names separated by a semicolon (;). Each account name must be entered in the fully distinguished name format prefixed by an NDS tree name and a slash (\). For example, enter CitrixNDSTree\.joeX.admin.pnq;CitrixNDSTree\.mary.test.pnq. Click Check Names to validate the account names or click OK if you are done adding accounts. Double-click to open container or leaf objects until the object to be granted access appears. Select the object and click Add.
Configuring Printer Autocreation in NDS

Use the console to choose Windows NT or Windows Server 2000 Active Directory print queues and assign them to NDS objects for autocreation. Permissions to the print queue must be granted to the Dynamic Local User created when the NDS user logs on to a server. This may require enabling the guest account on the print server. See the Microsoft online Knowledge Base article Q271901 for information about enabling the guest account. MetaFrame Presentation Server does not support autocreating NDS printers. See Novells documentation for autocreating NDS printers (NDPS and non-NDPS) in ZENworks for Desktops.
245
Enabling NDS Usage in the Web Interface

Complete the following tasks to configure the Web Interface to work in an NDS environment. 1. Open the WebInterface.conf (or NFuse.conf) file located in %SystemRoot%\Inetpub\wwwroot\Citrix\MetaFrame\conf (or %systemroot%\Program Files\Citrix\NFuse\conf) on the server running the Web Interface. 2. Edit the following parameters: Set the LoginType to NDS. Set the NDSTreeName to the name of the preferred NDS tree for the server farm. 3. If the optional parameter SearchContextList is not set, the Web Interface Contextless authentication feature searches the entire tree to locate a user. This may take a long time in a tree that has a lot of objects. Use SearchContextList to reduce the time required for contextless authentication. Set this parameter to a comma-delimited list of contexts from the NDS tree. The Web Interface Contextless authentication feature searches only these contexts to locate the user instead of the entire tree. Note The Novell Client must be running on the server running the Web Interface to allow authentication. 4. Restart the IIS Admin Service for the changes to take effect. On the Web Interface logon page, NDS user credentials can be entered as follows: 1. User Name: You can specify either: The full NDS distinguished name of the user (.joe.department.company or .CN=joe.OU=department.O=company) -orThe full NDS distinguished name of the alias for a user (.joeAlias.department.company or .CN=joeAlias.OU=department.O=company) -orA partial name ("joe") and select [Find Context] from the Context field to find all contexts where a user/alias with this name exists 2. Password: The NDS user's password.
246
3. TreeName: Shows the name of the NDS tree supported by the farm. MetaFrame Presentation Server supports only one NDS tree per farm. This field cannot be edited. 4. Context: You can select from this list by either: A context used in a previous Web Interface/NFuse logon -orFind Context tab Selecting this and clicking the Log In button causes Web Interface/NFuse to search the NDS tree for all contexts that contain the partial user/alias name. This search feature requires the Novell client to be installed on the Web Interface/ NFuse Web server, and be able to access the NDS tree. Because, searching the entire NDS tree may be slow, you can specify the NDS contexts that Web Interface/NFuse should search, by specifying them in the SearchContextList setting in the nfuse.conf file. For example: SearchContextList=subdepartment.department.company Do not prefix context names with a dot (.). Separate multiple contexts by a comma (,). Note Web Interface does not support pass-through authentication for NDS users.
247
NDS Usage with the MetaFrame Presentation Server Client

When users launch the MetaFrame Presentation Server Client, they can log on and be authenticated using their NDS credentials. Supported NDS credentials are user name (or distinguished name), password, directory tree, and context. NDS support is integrated into the following: Program Neighborhood and the Program Neighborhood Agent If NDS is enabled in the farm, NDS users enter their credentials on an NDS tab on the client logon screen. If users have the Novell Client (Version 4.81 or later) installed, they can browse the NDS tree to choose their context. Pass-Through Authentication If users have the Novell Client (Version 4.81 or later) installed, their credentials are passed to the server, eliminating the need for multiple system and application authentications. Note To enable pass-through authentication when using Novells ZENworks for Desktops dynamic local user functionality, set the Use NetWare Credentials value in the ZWFD DLU policy package to On. Session Sharing Session sharing works correctly with NDS users only if the application permissions are assigned at a user or container level. Session sharing does not work if assigned at the group level. The session sharing feature is not currently supported for custom ICA connections that are configured with NDS user credentials (under Properties > Login Information). To use the session sharing feature for custom connections, do not specify user credentials for a connection on the connections Login Information tab. Custom ICA Connections When users run the Add New ICA Connection wizard, they must enter a distinguished name in the User Name field and a password in the Password field and place the NDS tree name in the Domain field. Users running earlier versions of clients can also enter credentials in this manner.
248
Single Sign-On When the Novell Client is installed on the client device and Single Sign-On is enabled, Single Sign-On sends users NDS credentials to the server. If you want users to use Windows credentials, add the following to the Appsrv.ini or .ica file. Appsrv.ini file - Under the [WFCLIENT] section, add or modify the SSOnCredentialType entry to SSOnCredentialType=NT ICA file - Under the application name section, add or modify the SSOnCredentialType entry to SSOnCredentialType=NT
Configuring Default Contexts for Users

Configuring default contexts for users eliminates the need for users to know their context when they log on. Listed below are ways to configure default contexts on client devices: Enable pass-through authentication for the client If the client device is running the Novell Client, enable the MetaFrame Presentation Server Client to use pass-through authentication. When passthrough authentication is enabled on the client, the user name context and password are passed from the Novell Client to the computer running MetaFrame Presentation Server. Edit the Windows registry on the client device Create a script using regini or regedit that modifies the registry entry HKEY_CURRENT_USER\Software\Citrix\CtxLogon with the correct context for the user. Edit the value RecentContexts to specify context(s). Each context must appear on a new line. Add a default context to Windows Installer Setup for Program Neighborhood or the Program Neighborhood Agent. At a command prompt, type: msiexec /I <MSI_Package> /qn+ Default_NDSCONTEXT= <Context > where <MSI_Package> is the name of the Windows Installer package and <Context> is the default NDS context you want to display in the client. If you are including more than one context, separate the contexts by a comma.
249
Add a default context to the self-extracting executable for Program Neighborhood. Extract the client files from Ica32a.exe by typing at a command line: ica32a.exe -a -unpack:<Directory Location> where <Directory Location> is the directory to which you want to extract the client files. 1. Open the Appsrv.src file in a text editor. 2. Locate the section named [WFClient]. 3. Add the following line to the list of parameters and values in the [WFClient] section: DEFAULT_NDSCONTEXT=<Context1 [,]>. Include this parameter if you want to set a default context for NDS. If you are including more than one context, place the entire value in quotation marks and separate the contexts by a comma. Examples of correct parameters: DEFAULT_NDSCONTEXT=Context1 DEFAULT_NDSCONTEXT=Context1,Context2
Note The self-extracting executable setup program for the Program Neighborhood Agent does not support adding a default context.
250
Tips and Techniques

Creating Aliases
If you need to create aliases in NDS, follow the guidelines below. Ensure that the distinguished name of the object does not exceed 48 characters. Alias object names are unique within the tree. The Alias object can be the same name as the actual object.
Note You can use third-party tools, such as the Lyncx tool from Centralis, to automate the process of creating aliases for large trees. See the Centralis Web site at http:// www.centralis.co.uk for more information. When users log on, they are given the rights of the object to which the alias object points.
Organizing Published Applications for NDS Users

It may be helpful to set up groups in NDS and associate published applications with them. For example, you can create an NDS group called Default_User_Apps for business and office applications. Add this group when specifying which users have access to those published applications. When you add new users to this group, they are granted rights to the applications. Create a separate group for specialty applications that are not distributed to a wide audience. For example, create a group in NDS called Accounting_Program and then publish an application called Accounting_Program in MetaFrame XP Feature Release 2. In MetaFrame specify the NDS group Accounting_Program to the published application called Accounting_Program. When assigning new users to the accounting application, simply add them to the group called Accounting_Program in NDS.
Debugging NDS Issues

To capture tracing for debugging problem related to NDS support in MetaFrame Presentation Server, you must enable tracing for IMA_AAMS, WinDrvSS, and NDSDrvSS components.
CHAPTER 11
Creating and Replicating Printers
MetaFrame Presentation Server provides centralized printer management with the Presentation Server Console.This chapter discusses the creating, mapping, and replicating of printers in your server farm.
Printer Mapping Enhancements

Recent enhancements to MetaFrame Presentation Servers printer mapping capabilities include.
Automatic Installation of Drivers for Network Printers

The feature to allow automatic installation allows the creation of network printers in the same manner as client printers by automatically installing the users administrator-approved network printer drivers when users log on. The main purpose of this feature is to return a list of printers available to users when they log on. When users log on, print drivers are installed and all printers returned in the list are available. To use this feature, ensure that: 1. The Automatically install native drivers for auto-created client and network printers option is checked in Printer Management > Drivers properties 2. You check the list of allowed/denied printer drivers prior to enabling this feature Note Because printer drivers for networked printers are installed when users log on, users may experience a delay when logging on for the first time. Subsequent logons will not include this delay.
Enforcing Printer Compatibility

The printer compatibility feature allows you to prevent certain printer drivers from being used. When users log on, auto-created client printers are checked against a list of prohibited printers, enabling you to disallow print drivers that cause issues on the servers in the farm. Use the Presentation Server Console to configure printer drivers. To configure drivers, log on to the console, expand the Printer Management plug-in, click Drivers, and then click the Compatibility icon on the tool bar. Alternatively, rightclick the Drivers option, and then select Compatibility. In the Driver Compatibility window, you can select one of two options: Allow only drivers in the list or Allow all drivers except those in the list. When users log on, client printers are automatically mapped and verified that they can be created by comparing the printers against the list of allowed print drivers. If a prohibited client printer is encountered, an event is generated in the event log.
Enabling/Disabling Automatic Installation of Print Drivers

This feature allows you to disable automatic installation of automatically created client and network printer drivers. This feature does not disable the auto-creation of client and network printers; it disables only the installation of any drivers that are not currently on the server. To enable the automatic installation of printer drivers for any (network and client) printers in the console, choose Automatically install native drivers for autocreated client and network printers. Note After a driver is installed on the server, it remains on the server unless it is removed from the Printers folder. Therefore, to use the Automatically install native drivers for auto-created client and network printers option, use a printer with drivers not already installed on the server. To check for the installed drivers on the server, go to Start > Settings > Printers, ensure that nothing is highlighted in the printers window, then go to File > Server Properties and click Drivers. The drivers installed on the server are listed.
Chapter 11 Creating and Replicating Printers
253
Optimizing Printer Creation

Network printer shares that reside on the client system can cause an increase in the time it takes to authenticate users because the printers are created and deleted each time users log on and off. Use auto-created network printers instead of client network printer shares to reduce log on times to ensure that the connections to the network printers remain persistent. If the network printer is on the computer running MetaFrame Presentation Server, no other action is required. Otherwise, use the following steps to import the required network print servers into the farm. To add network printers to a server farm 1. In the Presentation Server Console, expand the Printer Management node. 2. Right-click and select Import Network Print Servers. 3. Specify the network print server to import and add any necessary authentication credentials. When the operation finishes, the print server appears on the Network Print Servers tab on the console. 4. Install the printer drivers for your network printers on to the servers in the server farm. 5. In the Printer Management\Drivers node, use the Auto Replication command to distribute the drivers to all the servers in the farm. Use the guidelines outlined in Using Auto-Replication on page 256 when performing replication. To allocate network printers to users 1. In the Presentation Server Console, expand the Printer Management node. 2. Expand the Printers node and select a printer. 3. Right-click the printer and select Auto-Creation. 4. Specify a domain and select the groups and users who need to use the printer. When a specified user logs on to a server in the farm, the printer becomes available in the users ICA session as if the printer were installed on the users client device. To change Auto-Created Printer setting to allow only local client printers 1. In the console, right-click Printer Management and select Properties. 2. Select the Local (non-network) client printers only radio button. 3. Click OK to finish.
254
Updating Printer Properties When Users Log On

Updating auto-created client printer properties and auto-created network printer properties when users log on can cause increases in logon times. Communication must occur between the server and the client systems to update the printer property settings each time users log on. If these settings are not used, the settings are read once the first time the client logs on to the server and then saved in the users profile and restored the next time the user logs on. You can verify auto-created client printers and auto-created network printers are not updating printer properties each time users log on (properties are not updated by default). To verify auto-created client printers and auto-created network printers 1. In the console, right-click Printer Management and select Properties. 2. In the Auto-Created Client Printers frame, verify that the Update printer properties at each logon option is not selected.
Printer Driver Replication

Printer driver replication copies printer driver files and registry settings across the server farm. You can install all required printer drivers on one server in the farm, then replicate the files and registry settings to all other servers in the farm. Printer driver replication is managed through the console. Printer driver replication does not replicate printer properties such as paper size and print quality. Tip The process of replicating printer drivers can consume a great deal of CPU resources on the source server. To improve performance, avoid replicating drivers while the farm is under heavy load, such as when several users log on.
Managing the Printer Driver Replication Queue

Each printer driver/server combination creates an item in the printer replication queue. For optimal performance, this queue should not exceed 1,500 entries in length. To determine the queue size, use the following formula:
QueueSize = Drivers * Servers
Where: Drivers = Number of printer drivers Servers = Number of servers to which the printer drivers are being replicated
Chapter 11 Creating and Replicating Printers
255
Using this formula, the queue can include 30 drivers for replication to 50 servers (30*50=1,500) or three drivers for replication to 500 servers (3*500=1,500) without exceeding the queue size recommendation. You can monitor the replication queue items with the qprinter /replica command. Tip You can determine whether or not printer drivers are successfully replicated by checking the Application Log in Event Viewer on the target servers.
Driver Replication and Performance Issues

The number of printer drivers installed on or replicated to each server in the farm can affect server performance and response time. The following sections provide recommendations for minimizing potential performance issues when installing or replicating printer drivers.
Driver Replication and Server Performance

The time required to complete printer driver replications depends on network traffic and server load. The replication distribution queue is handled by the Citrix IMA Service at a low priority. The printer driver replication subsystem can process an average of 50 entries every minute in a 50-server farm under a light user and network load. A 500-server farm under the same conditions can process an average of 20 entries a minute. The distribution subsystem monitors the load on the server that is replicating the print drivers while they are distributed across the server farm. If the subsystem detects that the server is becoming overloaded, it reduces the speed at which it sends the replication jobs. This can cause very large replication jobs to take several hours. To complete printer driver replication as quickly as possible, Citrix recommends that you replicate large numbers of printer drivers during off-peak hours when higher-priority network traffic is at a minimum. Tip You can monitor the progress of the printer replication jobs by running the qprinter /replica command.
256
Driver Replication and IMA Performance

The server farms data store holds one record for each printer driver, one record for each farm server, and one record for each printer driver/server combination. Installing more printer drivers on servers in the farm causes the size of the printer driver tables in the data store to increase. Larger tables in the data store result in increased delay when restarting the servers because the Citrix IMA Service has more information to query. To avoid degraded performance because of larger tables in the server farms data store, limit the number of printer drivers in the farm using the following guidelines: Install printer drivers only for printers that will be used by clients in the farm Install printer drivers only on servers that will host users who need access to the printers Install printer drivers that work for multiple printer types, if possible Remove unnecessary printer drivers from cloned images In WAN environments where a large number of printer drivers are installed, use a replicated data store if better performance is necessary Use the Citrix Universal Print Driver instead of the native Windows drivers, if possible
Using Auto-Replication
When an auto-replication job is scheduled, the Citrix IMA Service attempts to download the job when the IMA Service starts up. If several printer replication jobs are destined for a server, the IMA Service may take an extended amount of time to start. The Overwrite existing drivers option is not recommended because this downloads the printer drivers each time the IMA Service starts. Citrix recommends using scheduled replication instead of auto-replications to reduce network traffic. If auto-replication must be used, do not use the Overwrite existing drivers option and keep the number of printer drivers to be replicated to a minimum.
CHAPTER 12
Replicating Data Stores Running Microsoft SQL Server
This chapter describes how to replicate the SQL Server database that hosts your server farms data store.
Preparing for Replication

Review the following sections before replicating your data store database.
Determining Subscription Status

Replication occurs between a distributor server and subscriber servers. The distributor has an entry for each subscriber, and each subscriber has an entry for the distributor. Before replicating the data store, you must ensure that these server relationships are established. 1. Use the stored procedure sp_helpserver to determine which servers are configured as remote servers and view their current settings. The output of this stored procedure includes the name of the local server along with entries for each remote server that is contacted as part of the replication process. Ensure that: The local server has an entry in this list. If not, review Manually Adding a Server on page 258. The local servers ID is 0, and both the name and network_name match. On the subscriber, there is an entry for repl_distributor with the network_name of the distributor server. On the distributor, there is an entry for each subscriber with a status that includes sub.
2. Use the sp_helpsubscriberinfo stored procedure at the distributor to view the subscription information. Ensure that: One entry for each subscriber exists The publisher is identified correctly The login and password fields are blank if the Impersonate the SQL Server Agent (trusted connection) option is set
3. Display any existing subscription entries using the sp_helpsubscription_properties stored procedure on the subscriber in the database. Ensure that: The publisher is the name of the server that holds the source database for publication. The publisher_db is the name of the database on the publisher. The publication displays the name of the publication to which the database is subscribing. The publisher_login is SA and the next field has an encrypted password (these are set with the sp_link_publication stored procedure). Verify the SA user name in sp_link_publication is capitalized. Lowercase sa fails to create the RPC connection. These entries exist only in the subscribers database.
Stored Procedures for Configuring Replication

The following section discusses the stored procedures that are available to configure database replication.
Manually Adding a Server

If the local server is not displayed in the sp_helpserver stored procedure output, add it manually using the sp_addserver stored procedure. For example:
exec sp_addserver '<servername>', 'Local' go select @@servername
If the distributor is not displayed in the sp_helpserver stored procedure output, add it manually using the sp_adddistributor stored procedure. For example:
exec sp_adddistributor '<servername>' go select @@servername
Chapter 12 Replicating Data Stores Running Microsoft SQL Server
259
Linking a Publication
If all subscribers are set to Impersonate the SQL Server Agent (trusted connection) at the distributor, the publication link may still fail. If you see the Login Failed for User sa error message, it may be because the dynamic RPC calls are being attempted with an incorrect password. To reset the publication link, use the sp_link_publication stored procedure from the database on the subscriber. For example:
sp_link_publication '<Distributor>, '<Database>', '<Publication>', 0, 'SA', '<Pwd>'
Where: Distributor = The name of the distributor server Database = The name of the published database on the distributor Publication = The name of the publication that is to be linked Pwd = The password for the SA account on the distributor Execute the sp_link_publication stored procedure. Verify that conflicting information from sp_helpsubscription_properties is not present between the master and subscriber databases. If the databases contain different information, use sp_link_publication to set the same information in both databases or use sp_droppublication to remove the publication from the master database. Verify the SA user name in sp_link_publication is capitalized. Lowercase sa fails to create the RPC connection.
Cleaning up Old Subscriptions

If you have an existing database that you are unable to drop, you can run the stored procedure sp_subscription_cleanup to remove unwanted subscription entries from the target database (the database on the distributor): sp_subscription_cleanup '<Distributor>', '<Database>', '<Publication>' Where: Distributor = The name of the distributor server Database = The name of the published database on the distributor Publication = The name of the publication that is to be linked This procedure removes the entries created by sp_link_publication.
260
Replicating a Data Store in SQL Server 2000

To replicate a SQL Server 2000 database, use SQL Enterprise Manager. Begin by creating a new database on the SQL Server that will be used as the source for all replicas you create. Ensure that the account you use to create the database has db_owner permissions and is the same one you use on the replicated database. Before beginning the replication process, complete the following tasks: The Windows installations should be clean (from CD) installations instead of images. If images of Windows are used, ensure that they do not come from the same image but from different ones for each server. If your Windows installations come from the same image, replication will not work. Do not mix Windows Server 2000 with Windows Server 2003. The Distributed Transaction Coordinator service operates differently in Windows Server 2003 than it does in Windows Server 2000. If you mix the operating systems, replication will fail. For Windows Server 2003 verify that both publisher and subscriber SQL servers are in the same domain. Install SQL Server on the servers designated for the data stores. Verify that the Microsoft Distributed Transaction Coordinator is installed on the servers designated for the data stores.
Setting Up the Servers

Complete the following tasks on servers running SQL Server to set up the data store for distribution. 1. From the Start menu, start the Services Manager. 2. From Services Manager, set up the same domain logon account for the following services (the local system account does not work): SQLServerAgent MSSQLServer MSDTC (Distributed Transaction Coordinator on Windows Server 2000)
Note If you are configuring SQL replication on Windows Server 2003, verify that the MSDTC service is using the Network Services security account (this account uses a blank password).
261
Replicating the Database

To replicate the SQL Server 2000 database that contains the data store, complete the following four general steps:
Step 1: Establishing the Distributor Server

1. Microsoft SQL 2000 servers acting as publisher, distributor, and subscriber must be in the same Windows NT or Active Directory domain. Start SQL Services under the same account. 2. Open Enterprise Manager on the server on which the source database is located. 3. Right-click the Replication folder and select Configure Publishing, Subscribers, Distribution Wizard. 4. On the Select Distributor page, select the current server to act as the distributor. 5. Keep the default Snapshot folder. 6. On the Customize the Configuration page, choose the option No, use the following default settings. 7. Click Finish.
262
Step 2: Enabling Transactional Replication on the Distributor

1. Right-click the Replication Monitor folder and choose Distributor Properties. 2. On the Publication Databases tab, check Trans next to the database you want to replicate, as shown in the figure below.
263
Step 3: Publishing the Source Database

1. Right-click the database name and go to New > Publication to start the Create Publication wizard. 2. Click Show advanced options in this wizard and then click Next. 3. On the Choose Publication Database screen, select the database you want to replicate and then click Next. 4. On the Select Publication Type page, choose Transactional publication. 5. On the Updatable Subscriptions page, select the Immediate updating option, as shown in the figure below.
.
6. On the Specify Subscriber Types page, select the Servers running SQL Server 2000 option. Click Next.
264
7. On the left side of the Specify Articles page, select both Show and Publish All for the tables object type. Do not publish stored procedures to the replicated databases.
8. Click Next on the Article Issues page. 9. Name the publication. 10. On the Customize the Properties of the Publication page, choose No, create the publication as specified.
265
11. Click Finish to complete the wizard. The publication appears in the Publications folder, as shown below.
266
Step 4: Pushing the Published Database to Subscribers

1. Right-click the published database in the Publications folder and choose Push new subscription to start the Push Subscription wizard. 2. Click Show advanced options in this wizard and then click Next. 3. On the Choose Subscribers page, select the subscribers for the published database. 4. On the next page, choose the destination database to which you want to replicate the source database. 5. On the Set Distribution Agent Location page, choose to run the agent at the distributor. 6. Set the Distribution Agent Schedule to continuously. 7. On the Initialize Subscription page, shown below, choose Yes, initialize the schema and data, and select the option to Start the Snapshot Agent.
8. On the Updateable Subscriptions page, select the Immediate updating option.
267
9. On the Start Required Services page, displayed below, the services that must be running are listed. Verify that the applicable required services are running on the distributor server.
10. Click Finish on the next screen to complete the wizard.
Additional Step for Windows Server 2003

If your database server is running on Windows Server 2003, run the following procedure on the distributor and the subscribers using Query Analyzer: exec sp_serveroption 'myServer', 'data access', 'true' where: myServer is the name of the remote server. Example for Distributor: exec sp_serveroption 'SubscriberServer', 'data access', 'true' Example for Subscriber: exec sp_serveroption 'PublisherServer', 'data access', 'true'
268
Troubleshooting the Replication

Ensure that the following seven tables on the replicated database are present:
DATATABLE INDEXTABLE KEYTABLE MSreplication_objects MSreplication_subscriptions MSsubscription_agents MSsubscription_properties
If not all tables are present, delete the replication setup and begin again. The dtproperties table also appears if you used the Database Diagram wizard in Enterprise Manager. If an error starting the IMA Service occurs after successfully configuring replication, you can run the following command from the Query Analyzer tool on the SQL2000 server:
sp_link_publication '<Distributor>', '<Database>', '<Publication>', 0, 'SA', '<Pwd>'
Where: Distributor = The name of the distributor server Database = The name of the published database on the distributor Publication = The name of the publication that is to be linked Pwd = The password For further information, refer to Citrix Knowledge Base article CTX101739.
269
Setting the Password for the Replica Database

When the subscription (replica) database is created on the subscriber server, the password for the SA account is not passed for security reasons and therefore needs to be set manually. Complete the following tasks to change the password for the SA account: 1. Select the subscription database on the subscriber server. 2. Select Tools > SQL Query Analyzer. 3. In the SQL Query Analyzer window type and run the following stored procedure: sp_link_publication '<Distributor>, '<Database>', '<Publication>', 0, 'SA', '<Pwd>' Where: Distributor = The name of the distributor server Database = The name of the published database on the distributor Publication = The name of the publication that is to be linked Pwd = The password for the SA account on the distributor Note If you encounter problems running the above stored procedure, an alternative procedure is: sp_link_publication 'publisher', 'database', 'publication', 0, 'SA', 'password', 'distributor'.
270
Multi-Subscriber Replication
Multi-subscriber replication, defined as comprising one publisher and two or more subscribers, requires additional considerations. By default, Microsoft SQL Server leaves foreign key referential integrity constraints intact in the subscriber databases. Because MetaFrame Presentation Server uses a two-phase commit between the subscriber and the publisher (distributor), these constraints are not necessary because integrity is maintained at the distributor. After a subscriber commits a transaction at the distributor, the distributor pushes the changes out to all remaining subscribers. However, the referential integrity constraints on the remaining subscribers prevent the transactions from completing correctly. When this occurs, you will see error messages similar to the following: DELETE statement conflicted with COLUMN REFERENCE constraint 'FK__DATATABLE__nodei__35BCFE0A'. The conflict occurred in database 'CTXIMA', table 'DATATABLE', column 'nodeid'. The row was not found at the Subscriber when applying the replicated command. To prevent the foreign key relationships from blocking the replicated transaction, perform the following steps on the subscribers only. 1. In Enterprise Manager, select the data store database. 2. Click Tables, right click DATATABLE in the right pane, and select Design Table from the context menu. 3. Click the Manage Relationships button.
271
4. Verify Enforce Relationship for Replication is checked for the relationship that starts with FK__DATATABLE__nodei.
5. Save the changes to the DATATABLE 6. Repeat Steps 3 6 for INDEXTABLE and the foreign key relationship that starts with FK__INDEXTABL__nodei. 7. In the foreign key relationships under KEYTABLE, verify that the checkbox for Enforce relationship for replication is clear. 8. Repeat Steps 1 8 for each subscriber database. Note Completing these steps on the distributor database may corrupt the data store. In addition, if you re-initialize the subscription, the schema is reread from the distributor and Steps 19 must be completed on the subscribers again.
272
Replicating a Data Store in SQL Server 7

Before beginning the replication process, complete the following tasks: 1. Ensure that you are not using a cloned or imaged installation of Windows Server 2000 or Windows Server 2003. 2. Install SQL Server 7 on the servers that will host the MetaFrame Presentation Server farm data store. 3. Create a database on both the source server (the distributor) and the server that will host the replicated database (the subscriber). Important Both new databases must have the same name so that you can replicate the source database to the copy. 4. Verify that the Microsoft Distributed Transaction Coordinator is installed on the servers that will host the data store. This section discusses an environment with two servers running SQL Server 7, referred to as the distributor and the subscriber.
Setting Up the Servers

Complete the following tasks to prepare the distributor and subscriber servers for the replication process. 1. Verify that you created two databases (one on the distributor and one on the subscriber) with the same name. The following procedures assume that both the distributor and the subscriber are in the same SQL Server group. 2. From the Start menu, start the Services Manager. 3. In Services Manager, set up the same domain logon account for the following services (the local system account does not work): SQLServerAgent MSSQLServer MSDTC (Distributed Transaction Coordinator on Windows Server 2000)
To set up the database distributor 1. Select one of the SQL Server databases you created as the source database to be replicated or published. 2. Install MetaFrame Presentation Server and point it to the database selected in Step 1. The database on this server is now the server farms data store and the server is the distributor server.
273
Replicating the Database

To replicate the SQL Server 7 database that contains the data store, complete the following four general steps:
Step 1: Enabling Replication on the Distributor

1. From the Start menu, start the Enterprise Manager. 2. Select Replicate Data in the right pane of Enterprise Manager. 3. Select Configure Replication. This starts the Configure Publishing and Distribution wizard. Click Next. 4. Select Yes, use <Server> as the Distributor/Publisher, where <Server> is the server you selected to distribute the data store database. 5. Select No, use the following default settings as the distribution settings. The default settings designate this server as the sole distributor. 6. Click Finish. This server is now set up to replicate the data store.
Step 2: Enabling Transactional Replication on the Distributor

1. From the Start menu, start the Enterprise Manager. 2. Select Replicate Data in the right pane of Enterprise Manager. 3. Select Configure Replication. The Publisher and Distributor Properties wizard appears. Click Next. 4. On the Publication Databases tab, check the Trans box next to the database holding the data store. Click OK. The data store can now be replicated using transactional replication. Note The dsmaint utility returns an error if you try to publish a database that is not enabled for replication.
Step 3: Publishing the Source Database Using the dsmaint Utility

From a command prompt, enter the command dsmaint publishsqlds / user:<username /pwd:<password>, where <username> and <password> are the credentials of the account used by MetaFrame Presentation Server to access the database. This account needs db_owner rights to configure the publication.
274
Step 4: Pushing the Published Database to the Subscribers

Complete the following tasks to distribute the data store on the distributor using the Push Subscription wizard. 1. Verify that the SQL Server set up as the subscriber is registered in the SQL Server group. 2. Start Enterprise Manager on the SQL Server set up as the distributor. 3. In the left pane of Enterprise Manager, expand the folders under the Database folder until you see MFXPDS, the publication you created with the dsmaint command. 4. Right-click MFXPDS and choose Push New Subscription from the shortcut menu that appears. Click Next. 5. The Choose Subscribers dialog box appears. Select the subscriber from the SQL Server group tree. The subscriber is the destination to host the copy of the data store pushed from the distributor. Click Next. The Specify Immediate-Updating Subscriptions dialog box appears. 6. On this dialog box, select Yes, make this an immediate-updating subscription(s). You must employ immediate updating subscriptions to ensure coherency. Click Next. The Set Distribution Agent Schedule dialog box appears. Important Merge replication is not supported by MetaFrame Presentation Server because it cannot guarantee the uniqueness of object creation across all servers in the enterprise. 7. Select Continuously in Set Distribution Agent Schedule. Continuous updating and a two-phase commit algorithm ensure data coherency. When the subscriber receives a request to write to the data store, the data is initially written to the data store on the publisher, then propagated by the distributor to the copy of the data store on the subscriber. The distributor is the only server that can write information to the data store on the subscriber. Click Next. The Initialize Subscription dialog box appears. 8. Select the following options on this dialog box: Yes, initialize the schema and data at the Subscriber. The database on the subscriber is not yet initialized, so the schema and data need to be initialized. Start the agent immediately. The Distribution Agent begins replication as soon as the database becomes available. Click Next. The Start Required Services dialog box appears.
275
9. On this dialog box, verify that all necessary services are running on both the distributor and the subscriber. The state for the MSDTC service on the subscriber always displays as Unknown even though it is running. To verify that MSDTC is running, check Services in Administrative Tools in the Control Panel on the subscriber. Click Next. The Completing the Push Subscription wizard appears. When the Push Subscription wizard is done running, replication begins. You can monitor the progress of the replication in Replication Monitor in Enterprise Manager. 10. When replication is complete, ensure that there are no replication alert errors in Replication Monitor.
Pointing Servers to the Replicated Data Store

After replicating the server farms data store, you can install MetaFrame Presentation Server on servers and point them to the replicated data store. 1. Start MetaFrame Presentation Server Setup. 2. When you are prompted for the location of the database that is hosting the server farms data store, point the server to the replicated data store (on the subscriber). 3. When you are done installing MetaFrame Presentation Server, open the Presentation Server Console and publish an application. 4. If the server can write the information about the published application to the data store, the data store was successfully replicated on the subscriber. Note You can redirect existing servers to the replicated copy of the data store by running the dsmaint config command.
APPENDIX A
Utilities
This chapter describes some of the Citrix utilities included with MetaFrame Presentation Server that you can use for configuration, management, and troubleshooting. Use command-line utilities at the command prompt, in a batch file on the computers running MetaFrame Presentation Server, or in an ICA session. For more information about Citrix utilities, see the MetaFrame Presentation Server Administrators Guide. This chapter explains how to use the following utilities: DSVIEW MSGHOOK QPRINTER QUERYDC QUERYDS QUERYHR SCCONFIG LMNEWLOG LMSWITCH
278
DSVIEW
Use this utility to view the contents of the data store, or the local host cache, and to look up ContextIds and UIDs. This utility includes a user interface, shown below.
Remarks
Dsview replaces IMATester, a utility documented in earlier editions of MetaFrame XP Advanced Concepts. It is located in the \support\debug\OS folder on the MetaFrame Presentation Server 3.0 CD; where OS is either w2k for Windows Server 2000 or W2K3 for Windows Server 2003.
Security Restrictions
Only local administrators can use dsview to view data.
Appendix A Utilities
279
MSGHOOK
Use this utility to display all IMA traffic on a member server.
Syntax
msghook
Remarks
Execute msghook only if information is requested by a Citrix Technical Support representative or a Citrix engineer. When invoked, this command significantly reduces MetaFrame Presentation Server performance. Msghook is not installed by default. It is located in the \support\debug\OS folder on the MetaFrame Presentation Server 3.0 CD; where OS is either w2k for Windows Server 2000 or W2K3 for Windows Server 2003.
Only MetaFrame Presentation Server administrators can execute this command.
280
QPRINTER
Use this utility to monitor the progress of the printer driver replication queue and to import printer name mapping parameters into the data store.
Syntax
qprinter [/replica] qprinter [/imprmapping mappingfilename]
Parameters
mappingfilename Specifies the full path to the text file containing the printer mapping parameters to import. The filename cannot have more than 256 characters and cannot contain quotation marks.
Options
/replica Displays all the replication entries queued for distribution but not yet completed. /imprmapping mappingfilename Imports printer mappings from the file specified by mappingfilename into the data store. The file format can be in either the Wtsprnt.inf format or the Wtsuprn.txt format.
281
Remarks
The /replica switch displays all events in the queue, including broken or failed events. The /imprmapping switch allows central administration of all printer name mappings. The file can be imported once from any server in the farm and is available for all servers in the farm. The /imprmapping switch does not process an improperly formatted file and does not return an error message when provided with an invalid file format. To verify the information is correctly imported into the data store, use the console. The MetaFrame Presentation Server installation first attempts to import the Wtsuprn.txt file, followed by the Wtsprnt.inf file. If the two files fail to import, no error message is returned. Use the /imprmapping switch to manually import either file. Qprinter is not installed by default. It is located in the \support\debug\OS folder on the MetaFrame Presentation Server 3.0 CD; where OS is either w2k for Windows Server 2000 or W2K3 for Windows Server 2003.
282
QUERYDC
Use this utility to determine the data collector for a given zone. Without any parameters, querydc defaults to the host servers zone and returns the zone name and name of the current zone data collector.
Syntax
querydc [-a] querydc [-e] querydc [-z zonename] querydc [-?]
Parameters
zonename The name of the zone to be queried. Enclose multi-word zone names within quotation marks.
Options
-a Displays all zones in the farm with the current zone data collector for each. -e Forces a new zone data collector election in the current zone. -z zonename Displays the current zone data collector for the zone specified by zonename. -? Displays the syntax for the utility and information about the utilitys options.
283
Remarks
Querydc uses the IMA Service to contact the local zone data collector for the requested information. Therefore, the IMA Service must be running for querydc to be successful. Querydc is not installed by default. It is located in the \support\debug\OS folder on the MetaFrame Presentation Server 3.0 CD; where OS is either w2k for Windows Server 2000 or W2K3 for Windows Server 2003.
284
QUERYDS
Because all dynamic information is stored in tables in the data collectors physical RAM, this command-line utility is provided to query the current information on the local zone data collector.
Syntax
queryds tables queryds /table:tablename queryds /query:querystring (Query String is optional, but you must specify a tablename.)
Parameters
tablename The name of the data collector table to query. Table names are case-sensitive.
Options
tables Returns a complete list of all tables available to query. /table:tablename Outputs to the screen the entire contents of the table specified by tablename.
285
Remarks
You can use queryds to determine which servers are currently available in a farm. It retrieves all information from the tables stored on the local zone data collector. For example, the PN_Table contains information about all available servers that are accepting Program Neighborhood connections. To view the entire contents of the PN_Table, execute the following command: queryds /table:PN_Table The output when executed on a single-server farm looks similar to the following: [PN_Table]: 1 records. name:588f host:XPSERVER1 zone:Zone1 Version:1 Tcp:enabled Ipx:enabled Netbios:disabled In a farm with 100 servers, this command outputs 702 lines of data. Use the findstr and sort command-line utilities to filter and sort the output for easier reading. Tip The findstr and sort commands are installed by default on both the Terminal Server Edition and Windows Server 2000 families. For more information about using the findstr command to filter output, type findstr /? at a command prompt. For more information about the sort command, type sort /? at a command prompt. The first entry shows the number of records in the PN_Table. This number also corresponds directly to the number of server records in the PN_Table. A server record does not exist in the PN_Table unless the servers IMA Service is started and the server is accepting Program Neighborhood connections. Thus, you can use the following command to determine how many servers in the farm are online: queryds /table:PN_Table | findstr /r PN_Table
286
The command shown below filters output using the word host (which prefaces each host name in the table) and displays an alphabetized list of all the servers currently online: queryds /table:PN_Table | findstr /r host | sort Using queryds in this manner provides a fast, customizable method to query any data collector table.
Queryds is not installed by default. It is located in the \support\debug\OS folder on the MetaFrame Presentation Server 3.0 CD; where OS is either w2k for Windows Server 2000 or W2K3 for Windows Server 2003.
You must be a MetaFrame Presentation Server administrator to execute this command.
287
QUERYHR
Use this utility to display information about member servers in the farm. Executing queryhr with no parameters lists all servers in the farm.
Syntax
queryhr [-z] queryhr [-h zonename] queryhr [-l] queryhr [-n hostname] queryhr [-i hostid] queryhr [-N] queryhr [-d hostid] queryhr [-?]
Parameters
zonename The name of the zone to be queried. Enclose multi-word zone names within quotation marks. hostname The name of the member server. hostid The host ID of the member server.
Options
-z Displays all available zones in the farm. -h zonename Displays all member servers in the zone specified by zonename. -l Displays the host record of the local host server. -n hostname Displays the host record for the member server specified by hostname, which is not case-sensitive.
288
-i hostid Displays the record for the member server specified by hostid. -N Displays the farm name. -d hostid Deletes the IMA Host Entry identified by hostid from the data collector, data store, and local host cache. For further information, see the Remarks section below. -? Displays the syntax for the utility and information about the utilitys options.
Remarks
Queryhr obtains information from the local host cache. Queryhr is best used to display information about servers in the farm, such as data collector ranking, host ID, zone names, and host names. CAUTION Do not use the d switch on farm servers that are working properly. After this switch is executed on a server, the server is no longer a member of the farm and the IMA Service will no longer start. The server must be reinstalled into the farm to restore functionality. Queryhr is not installed by default. It is located in the \support\debug\OS folder on the MetaFrame Presentation Server 3.0 CD; where OS is either w2k for Windows Server 2000 or W2K3 for Windows Server 2003.
You must be a MetaFrame Presentation Server administrator to execute this command.
289
SCCONFIG
By default, only processes required for smart card logon functionality (that is, Winlogon.exe and Lsass.exe) are turned on in MetaFrame Presentation Server. The smart card utility (Scconfig.exe) can be used to enable or disable smart card functionality for specific processes.
Syntax
scconfig [/?] scconfig [/server:sss] [/q] scconfig [/farm] [/q] scconfig [/server:sss] [/query] scconfig [/farm] [/query] scconfig [/server:sss] [/logon:on|off] scconfig [/farm] [/logon:on|off] scconfig [/server:sss] [/enable_process:ppp] scconfig [/farm] [/enable_process:ppp] scconfig [/server:sss] [/disable_process:ppp] scconfig [/farm] [/disable_process:ppp] scconfig [/server:sss] [/inherit:on|off]
Parameters
sss Name of server. ppp Name of process (for example, Outlook.exe).
290
Options
/farm View or modify farm-wide settings. /q, query Query current settings. /logon:on|off Enable/disable smart card logon on the server or farm. /enable_process:ppp Enable smart card support for the process specified. /disable_process:ppp Disable smart card support for the process specified. /inherit:on|off Inherit server settings from the farm. /server:sss Server to view or modify. This defaults to the local server. Example: To use Microsoft Outlook digital signatures and encryption with a smart card, you must enable the process Outlook.exe. On the remote server, the server subsystem handles the data store change event and makes the registry changes to enable or disable the feature. Use the /farm option to query or set a farm-wide default. Use the /inherit option to determine whether or not a server inherits a farmwide default. This functionality mimics that of twconfig and acrcfg.
291
LMNEWLOG
The lmnewlog utility switches the report log file by moving the existing report log information to a new file, then starting a new report log with the original report log file name. If you rotate report logs with lmnewlog instead of lmswitchr, you do not have to change the file name in the REPORTLOG line of the options file.
Syntax
lmnewlog [-c license_file_list] feature renamed_report_log -orlmnewlog [-c license_file_list] CITRIX renamed_report_log
Parameters
-c license_file_list Use the specified license files. feature Specifies any feature in the specified license files. CITRIX Specifies all features listed in the specified license files. renamed_report_log New file path where existing report log information is to be moved.
292
LMSWITCH
The lmswitch utility switches the debug log file written by the Citrix vendor daemon by closing the existing debug log for that vendor daemon and starting a new debug log for that vendor daemon with a new file name. It also starts a new debug log file written by that vendor daemon if one does not already exist.
Syntax
lmswitch [-c license_file_list] vendor new_debug_log
Parameters
-c license_file_list Use the specified license files. vendor Vendor daemon in this license file.. new_debug_log Path to new debug log file.
Remarks
By default, debug log output from lmgrd and all vendor daemons started by that lmgrd get written into the same debug file. lmswitch allows companies to keep separate log files for different vendors and control the size of their debug log file. If debug log output is not already directed to a separate file for this vendor daemon, lmswitch tells the vendor daemon to start writing its debug log output to a file, new_debug_log. If this vendor daemon is already writing to its own debug log, lmswitch tells the vendor daemon to close its current debug log file and start writing its debug log output to new_debug_log. Note The effect of lmswitch continues only until the vendor daemon is shut down or its options file is reread through lmreread. When the vendor daemon is restarted or its options file is reread, it looks for a DEBUGLOG line in the options file to determine whether or not to write its debug log output into its own file and, if so, what file to write.
APPENDIX B
Tested Hardware
The following hardware was used in the Citrix eLabs for testing MetaFrame Presentation Server 3.0: Acer Power Sd PIV as Client System Acer TravelMate C100 Acer TravelMate C110 Apple iMac Apple Power MAC G4 ( Non Windows PF Testing) Apple PowerBook G4 Alteon 24/24 Load Balancer Cisco Wireless WAP Cisco Aircards (802.11b) Cisco LocalDirector 416 Cisco PIXX 515 Firewall Appliance Compaq Aero Compaq Deskpro DPENM Compaq Deskpro DPEND Compaq DeskPro EN SFF Compaq DL 320 Compaq DL 350 Compaq DL 360 Compaq DL 380 Compaq DL 580 Compaq EVO T20 Compaq iPaq Compaq ML 330 Compaq Proliant BL20p Compaq Proliant 1850R Compaq Proliant 800 Compaq Proliant 8500R Compaq StorageWorks FC-AL Switch Compaq StorageWorks RA4100 Compaq StorageWorks MSA1000
294
Compaq TabletPC Compaq TaskSmart N2400 DLink DWL-650+ Wireles Card (22 MBs) Dell 1600SC Dell 1750 Dell OptiPlex GX1 Dell OptiPlex Gxa Dell PowerEdge 1400 Dell PowerEdge 1600SC Dell PowerEdge 1655MC Dell PowerEdge 1650 Dell PowerEdge 2650 Dell PowerEdge 6650 Dell Precision 220 machines Dell Precision 340 Dell Precision 360 EMC Celerra SE F5 BigIP 540 Load Balancer Fujitsu LifeBook P Series Fujitsu Stylistic 4100 Gateway ALR 7200 Hewlett Packard Jornada Hewlett Packard LaserJet Printers Hewlett Packard Netserver E60 Hewlett Packard NetServer LXe Pro Hewlett Packard ProCurve Switches Hewlett Packard TC4100 HHP USB Barcode Scanner IBM 4600 IBM IntelliStation M-Series IBM IntelliStation E-Series IBM NetFinity 3000 IBM NetFinity 3500 M10 IBM NetFinity 3500 M20 IBM NetFinity 5500 IBM ThinkPad R32 IBM xSeries 335 Identix Biometric Login USB devices (fingerprint) Intel 640T Lexmark T630 Lucent Pipeline ISDN Router Packeteer AppVantage ASM-70 Packeteer PacketShaper 2500 Packeteer Packetshaper 4500 Rainbow CryptoSwift 200 SSL Accelerator Cards
Appendix B Tested Hardware
295
Rainbow CryptoSwift 600 SSL Accelerator Cards Shunra Storm Seirra Wireless PCMCIA cards Sun Blade 150 - ( Non Windows PF Testing) Sun Ultra 5 Toshiba Portege 3500 ViewSonic Airpanel 100 Wyse Winterms WT9450, WT1200LE
APPENDIX C
Error Codes
IMA Error Codes

The items in the following table are Citrix IMA Service error codes that can appear in the Event Viewer
Hex value
00000000h 00000001h 00000002h 00000003h 00000004h 00000005h 00000009h 00130001h 00130002h 002D0001h 80000001h 80000002h 80000003h 80000004h 80000005h 80000006h 80000007h
Signed value
0 1 2 3 4 5 9 1245185 1245186 2949121 -2147483647 -2147483646 -2147483645 -2147483644 -2147483643 -2147483642 -2147483641
Unsigned value
0 1 2 3 4 5 9 1245185 1245186 2949121 2147483649 2147483650 2147483651 2147483652 2147483653 2147483654 2147483655
Mnemonic
IMA_RESULT_SUCCESS IMA_RESULT_OPERATION_INCOMPLETE IMA_RESULT_CALL_NEXT_HOOK IMA_RESULT_DISCARD_MESSAGE IMA_RESULT_CREATED_NEW IMA_RESULT_FOUND_EXISTING IMA_RESULT_CONNECTION_IDLE IMA_RESULT_DS_NOT_INSTALLED IMA_RESULT_SECURITY_INFO_INCOMPLETE IMA_RESULT_ALREADY_MASTER IMA_RESULT_FAILURE IMA_RESULT_NO_MEMORY IMA_RESULT_INVALID_ARG IMA_RESULT_UNKNOWN_MESSAGE IMA_RESULT_DESTINATION_UNREACHABLE IMA_RESULT_REFERENCE_COUNT_NOT_ZERO IMA_RESULT_ENTRY_NOT_FOUND
298
Hex value
80000008h 80000009h 8000000Ah 8000000Bh 8000000Ch 8000000Dh 8000000Eh 8000000Fh 80000010h 80000013h 80000014h 80000015h 80000016h 80000017h 80000018h 80000019h 8000001Ah 8000001Ch 8000001Dh 8000001Eh 8000001Fh 80000020h 80000021h 80000022h 80000023h 80000024h 80000025h 80000026h
Signed value
-2147483640 -2147483639 -2147483638 -2147483637 -2147483636 -2147483635 -2147483634 -2147483633 -2147483632 -2147483629 -2147483628 -2147483627 -2147483626 -2147483625 -2147483624 -2147483623 -2147483622 -2147483620 -2147483619 -2147483618 -2147483617 -2147483616 -2147483615 -2147483614 -2147483613 -2147483612 -2147483611 -2147483610
Unsigned value
2147483656 2147483657 2147483658 2147483659 2147483660 2147483661 2147483662 2147483663 2147483664 2147483667 2147483668 2147483669 2147483670 2147483671 2147483672 2147483673 2147483674 2147483676 2147483677 2147483678 2147483679 2147483680 2147483681 2147483682 2147483683 2147483684 2147483685 2147483686
Mnemonic
IMA_RESULT_NETWORK_FAILURE IMA_RESULT_NOT_IMPLEMENTED IMA_RESULT_INVALID_MESSAGE IMA_RESULT_TIMEOUT IMA_RESULT_POINTER_IS_NULL IMA_RESULT_UNINITIALIZED IMA_RESULT_FINDITEM_FAILURE IMA_RESULT_CREATEPOOL_FAILURE IMA_RESULT_SUBSYS_NOT_FOUND IMA_RESULT_PS_UNINITIALIZED IMA_RESULT_REGMAPFAIL IMA_RESULT_DEST_TOO_SMALL IMA_RESULT_ACCESS_DENIED IMA_RESULT_NOT_SHUTTING_DOWN IMA_RESULT_MUSTLOAD_FAILURE IMA_RESULT_CREATELOCK_FAILURE IMA_RESULT_SHUTDOWN_FAILURE IMA_RESULT_SENDWAIT_FAILURE IMA_RESULT_NO_COLLECTORS IMA_RESULT_UPDATED IMA_RESULT_NO_CHANGE IMA_RESULT_LEGACY_NOT_ENABLED IMA_RESULT_VALUE_ALREADY_CREATED IMA_RESULT_UID_EXCEEDED_BOUNDS IMA_RESULT_NO_EVENTS IMA_RESULT_NOT_FOUND IMA_RESULT_ALREADY_EXISTS IMA_RESULT_GROUP_ALREADY_EXISTS
Appendix C Error Codes
299
Hex value
80000027h 80000028h 80000029h 8000002Ah 8000002Bh 8000002Ch 8000002Dh 8000002Eh 8000002Fh 80000030h 80000031h 80000032h 80000033h 80000034h 80000035h 80000036h 80000037h 80000038h 80000039h 8000003Ah 80040001h 80040002h 80040003h 80040004h 80040005h 80040006h 80040007h 80040008h
Signed value
-2147483609 -2147483608 -2147483607 -2147483606 -2147483605 -2147483604 -2147483603 -2147483602 -2147483601 -2147483600 -2147483599 -2147483598 -2147483597 -2147483596 -2147483595 -2147483594 -2147483593 -2147483592 -2147483591 -2147483590 -2147221503 -2147221502 -2147221501 -2147221500 -2147221499 -2147221498 -2147221497 -2147221496
Unsigned value
2147483687 2147483688 2147483689 2147483690 2147483691 2147483692 2147483693 2147483694 2147483695 2147483696 2147483697 2147483698 2147483699 2147483700 2147483701 2147483702 2147483703 2147483704 2147483705 2147483706 2147745793 2147745794 2147745795 2147745796 2147745797 2147745798 2147745799 2147745800
Mnemonic
IMA_RESULT_NOT_A_GROUP IMA_RESULT_GROUP_DIR_ACCESS_FAILURE IMA_RESULT_EOF IMA_RESULT_REGISTRY_ERROR IMA_RESULT_DSN_OPEN_FAILURE IMA_RESULT_REMOVING_PSSERVER IMA_RESULT_NO_REPLY_SENT IMA_RESULT_PLUGIN_FAILED_VERIFY IMA_RESULT_FILE_NOT_FOUND IMA_RESULT_PLUGIN_ENTRY_NOT_FOUND IMA_RESULT_CLOSED IMA_RESULT_PATH_NAME_TOO_LONG IMA_RESULT_CREATEMESSAGEPORT_FAILED IMA_RESULT_ALTADDRESS_NOT_DEFINED IMA_RESULT_WOULD_BLOCK IMA_RESULT_ALREADY_CLOSED IMA_RESULT_TOO_BUSY IMA_RESULT_HOST_SHUTTING_DOWN IMA_RESULT_PORT_IN_USE IMA_RESULT_NOT_SUPPORTED IMA_RESULT_FILE_OPEN_FAILURE IMA_RESULT_SESSION_REQUEST_DENIED IMA_RESULT_JOB_NOT_FOUND IMA_RESULT_SESSION_NOT_FOUND IMA_RESULT_FILE_SEEK_FAILURE IMA_RESULT_FILE_READ_FAILURE IMA_RESULT_FILE_WRITE_FAILURE IMA_RESULT_JOB_CANNOT_BE_UPDATED
300
Hex value
80040009h 8004000Ah 80060001h 80060002h 80060003h 80060004h 80060005h 80060006h 80060007h 80060008h 80060009h 8006000Ah 8006000Bh 8006000Ch 8006000Dh 8006000Eh 8006000Fh 80060010h 80060011h 80060012h 80060013h 80060014h 80060015h 80060016h 80060017h 80060018h 80060019h 8006001Ah
Signed value
-2147221495 -2147221494 -2147090431 -2147090430 -2147090429 -2147090428 -2147090427 -2147090426 -2147090425 -2147090424 -2147090423 -2147090422 -2147090421 -2147090420 -2147090419 -2147090418 -2147090417 -2147090416 -2147090415 -2147090414 -2147090413 -2147090412 -2147090411 -2147090410 -2147090409 -2147090408 -2147090407 -2147090406
Unsigned value
2147745801 2147745802 2147876865 2147876866 2147876867 2147876868 2147876869 2147876870 2147876871 2147876872 2147876873 2147876874 2147876875 2147876876 2147876877 2147876878 2147876879 2147876880 2147876881 2147876882 2147876883 2147876884 2147876885 2147876886 2147876887 2147876888 2147876889 2147876890
Mnemonic
IMA_RESULT_NO_TARGET_HOSTS IMA_RESULT_NO_SOURCE_FILES IMA_RESULT_ATTR_NOT_FOUND IMA_RESULT_CONTEXT_NOT_FOUND IMA_RESULT_VALUE_NOT_FOUND IMA_RESULT_DATA_NOT_FOUND IMA_RESULT_ENTRY_LOCKED IMA_RESULT_SEARCH_HASMORE IMA_RESULT_INCOMPLETE IMA_RESULT_READEXCEPTION IMA_RESULT_WRITEEXCEPTION IMA_RESULT_LDAP_PARTIALINSTALL IMA_RESULT_LDAP_NOTREADY IMA_RESULT_BUFFER_TOO_SMALL IMA_RESULT_CONTAINER_NOT_EMPTY IMA_RESULT_CONFIGURATION_ERROR IMA_RESULT_GET_BASEOBJECT IMA_RESULT_GET_DERIVEDOBJECT IMA_RESULT_OBJECTCLASS_NOTMATCH IMA_RESULT_ATTRIBUTE_NOTINDEXED IMA_RESULT_OBJECTCLASS_VIOLATION IMA_RESULT_ENUMFAIL IMA_RESULT_ENUMNODATA IMA_RESULT_DBCONNECT_FAILURE IMA_RESULT_TRUNCATE IMA_RESULT_DUPLICATE IMA_RESULT_PS_NOTINITIALIZED IMA_RESULT_USING_ORACLE_7
301
Hex value
8006001Bh 8006001Ch 8006001Dh 8006001Eh 80060033h 80060034h 80060035h 80060036h 80060037h 80060038h 80060039h 8006003Ah 8006003Bh 8006003Ch 8006003Dh 8006003Eh 8006003Fh 80060040h 80110104h 80110105h 80130001h 80130002h 80130003h 80130004h 80130005h 80130006h
Signed value
-2147090405 -2147090404 -2147090403 -2147090402 -2147090381 -2147090380 -2147090379 -2147090378 -2147090377 -2147090376 -2147090375 -2147090374 -2147090373 -2147090372 -2147090371 -2147090370 -2147090369 -2147090368 -2146369276 -2146369024 -2146238463 -2146238462 -2146238461 -2146238460 -2146238459 -2146238458
Unsigned value
2147876891 2147876892 2147876893 2147876894 2147876915 2147876916 2147876917 2147876918 2147876919 2147876920 2147876921 2147876922 2147876923 2147876924 2147876925 2147876926 2147876927 214787928 2148598020 2148598272 2148728833 2148728834 2148728835 2148728836 2148728837 2148728838
Mnemonic
IMA_RESULT_USING_ORACLE_8 IMA_RESULT_USING_ORACLE_UNKNOWN IMA_RESULT_LOAD_DAO_ENGINE_FAILED IMA_RESULT_COMPACT_DB_FAILED IMA_RESULT_ODBC_NO_CONNECTIONS_AVAIL ABLE IMA_RESULT_CREATE_SQL_ENVIRONMENT_FAI LED IMA_RESULT_SQL_EXECUTE_FAILED IMA_RESULT_SQL_FETCH_FAILED IMA_RESULT_SQL_BIND_PARAM_FAILED IMA_RESULT_SQL_GET_COLUMN_DATA_FAILED IMA_RESULT_REPLICATED_DATA_CONTENTION IMA_RESULT_DB_TABLE_NOT_FOUND IMA_RESULT_CONNECTION_EXIST IMA_RESULT_QUERY_MAX_NODEID_FAILED IMA_RESULT_SQL_FUNCTION_SEQUENCE_ERR OR IMA_RESULT_DB_CONNECTION_TIMEOUT IMA_RESULT_SQL_INVALID_TRANSACTION_STA TE IMA_RESULT_DB_NO_DISK_SPACE LMS_RESULT_NO_SERVER_AVAILABLE IMA_RESULT_FULL_SERVER_OR_APP_LOAD_R EACHED IMA_RESULT_MORE_ITEMS IMA_RESULT_INVALID_ACCOUNT IMA_RESULT_INVALID_PASSWORD IMA_RESULT_EXPIRED_PASSWORD IMA_RESULT_GROUP_IGNORED IMA_RESULT_BUILTIN_GROUP
302
Hex value
80130007h 80130008h 80130009h 8013000Ah 8013000Bh 8013000Ch 80160001h 80160002h 80160003h 80160004h 80160005h 80160006h 80160007h 80160008h 80160009h 8016000Ch 8016000Fh 80160010h 80160011h 80160012h 80160013h 80160014h 80160015h 80260001h 80260002h 802D0001h 802D0002h
Signed value
-2146238457 -2146238456 -2146238455 -2146238454 -2146238453 -2146238452 -2146041855 -2146041854 -2146041853 -2146041852 -2146041851 -2146041850 -2146041849 -2146041848 -2146041847 -2146041844 -2146041841 -2146041840 -2146041839 -2146041838 -2146041837 -2146041836 -2146041835 -2144993279 -2144993278 -2144534527 -2144534526
Unsigned value
2148728839 2148728840 2148728841 2148728842 2148728843 2148728844 2148925441 2148925442 2148925443 2148925444 2148925445 2148925446 2148925447 2148925448 2148925449 2148925452 2148925455 2148925456 2148925457 2148925458 2148925459 2148925460 2148925461 2149974017 2149974018 2150432769 2150432770
Mnemonic
IMA_RESULT_DC_NOT_AVAILABLE IMA_RESULT_NW_CLIENT_NOT_INSTALLED IMA_RESULT_ACCOUNT_LOCKED_OUT IMA_RESULT_INVALID_LOGON_HOURS IMA_RESULT_ACCOUNT_DISABLED IMA_RESULT_PREFERRED_TREE_NOT_SET IMA_RESULT_NODE_NOT_FOUND IMA_RESULT_NODE_NAME_INVALID IMA_RESULT_NODE_NOT_EMPTY IMA_RESULT_NODE_MOVE_DENIED IMA_RESULT_NODE_NAME_NOT_UNIQUE IMA_RESULT_NODE_RENAME_DENIED IMA_RESULT_CONSTRAINT_VIOLATION IMA_RESULT_LDAP_PROTOCOL_ERROR IMA_RESULT_LDAP_SERVER_DOWN IMA_RESULT_NODE_DELETE_DENIED IMA_RESULT_CANNOTCHANGE_PASSWORD IMA_RESULT_CANNOTCHANGE_LAST_RW IMA_RESULT_LOGON_USER_DISABLED IMA_RESULT_CMC_CONNECTION_DISABLED IMA_RESULT_INSUFFICIENT_SERVER_SEC_FO R_USER IMA_RESULT_FEATURE_LICENSE_NOT_FOUND IMA_RESULT_DISALLOW_CMC_LOGON IMA_RESULT_NW_PRINT_SERVER_ALREADY_P RESENT IMA_RESULT_SERVER_ALREADY_PRESENT IMA_RESULT_TABLE_NOT_FOUND IMA_RESULT_NOT_TABLE_OWNER
303
Hex value
802D0003h 802D0004h 802D0005h 802D0006h 802D0007h 802D0008h 802D0009h 802D000Ah 802D000Bh 802D000Ch 80300001h 80300002h 80300003h 80300004h 80300005h 80300006h 80300007h 80300008h 80300009h 8030000Ah
Signed value
-2144534525 -2144534524 -2144534523 -2144534522 -2144534521 -2144534520 -2144534519 -2144534518 -2144534517 -2144534516 -2144337919 -2144337920 -2144337921 -2144337922 -2144337923 -2144337924 -2144337925 -2144337926 -2144337927 -2144337928
Unsigned value
2150432771 2150432772 2150432773 2150432774 2150432775 2150432776 2150432777 2150432778 2150432779 2150432780 2150629377 2150629378 2150629379 2150629380 2150629381 2150629382 2150629383 2150629384 2150629385 2150629386
Mnemonic
IMA_RESULT_INVALID_QUERY IMA_RESULT_TABLE_OWNER_HAS_CHANGED IMA_RESULT_SERVICE_NOT_AVAILABLE IMA_RESULT_ZONE_MASTER_UNKNOWN IMA_RESULT_NON_UNIQUE_HOSTID IMA_RESULT_REG_VALUE_NOT_FOUND IMA_RESULT_PARTIAL_LOAD IMA_RESULT_GATEWAY_NOT_ESTABLISHED IMA_RESULT_INVALID_GATEWAY IMA_RESULT_SERVER_NOT_AVAILABLE IMA_RESULT_SERVICE_NOT_SUPPORTED IMA_RESULT_BUILD_SD_FAILED IMA_RESULT_RPC_USE_ENDPOINT_FAILED IMA_RESULT_RPC_REG_INTERFACE_FAILED IMA_RESULT_RPC_LISTEN_FAILED IMA_RESULT_BUILD_FILTER_FAILED IMA_RESULT_RPC_BUFFER_TOO_SMALL IMA_RESULT_REQUEST_TICKET_FAILED IMA_RESULT_INVALID_TICKET IMA_RESULT_LOAD_TICKETDLL_FAILED
304
Event Log Warning and Error Messages

The following warnings and error messages are found in ImaMsgs.dll and appear in the Event Log.
Message ID 3584 3585 3586 3587 3588 3589 3590 3591 3592 3593 3594 3595 3596 3597 3598 3599 3600 3601 3602 3603 3604 3605 Severity Error Error Error Error Error Error Error Error Error Error Error Error Error Error Error Error Error Error Error Error Error Error Message Text Failed to open system registry key with error %1\r\n Failed to initialize registrar component with error %1\r\n Failed to prepare the transport system for operation with error %1\r\n Incompatible WinSock version\r\n Failed to prepare the messaging system for operation with error %1\r\n Invalid FailedComponentId (%1)\r\n Failed to prepare the plugin system with error %1\r\n Failed to initialize all components with error %1\r\n Failed to start transport with error %1\r\n Failed to create a new message port with error %1\r\n Failed to create an event queue with error %1\r\n Failed to load initial plugins with error %1\r\n Failed to unload initial plugin with error %1\r\n Failed to unload subsystems with error %2\r\n Failed to destroy system event queue with error %1\r\n Failed to stop transport with error %1\r\n Failed to stop system with error %1\r\n Failed to uninitialize system with error %1\r\n Failed to start system with error %1\r\n Failed to load plugin %1 with error %2\r\n Failed to initiate RPC for Remote Access Subsystem with error %1\r\n Failed to connect to the database. Error - %1\r\nIncrease the number of processes available to the database. See MetaFrame Presentation Server documentation for details\r\n.
305
Message ID 3606
Severity Error
Message Text The Citrix MetaFrame Presentation Server failed to connect to the Data Store. Error - %1\r\nInvalid database user name or password. Ensure they are correct. If not, use DSMAINT CONFIG to change them. \r\n. Failed to connect to the database with error. Error - %1\r\nThe ACCESS .mdb file is missing.\r\n. The MetaFrame Presentation Server failed to connect to the Data Store. Error - %1\r\nThe database is down or there is a network failure.\r\n The MetaFrame Presentation Server failed to connect to the Data Store. Error - %1\r\nAn unknown failure occurred while connecting to the database.\r\n Configuration error: Failed to read the farm name out of the registry on a server configured \r\nto access the Data Store directly.\r\n Configuration error: Failed to get the farm name from the Data Store proxy server with error %1. This server is configured to access the Data Store indirectly. The server specified as the Data Store proxy is not available. Verify that the Data Store proxy server is accessible and that the IMA Service is started on it. Configuration error: Failed to open IMA registry key.\r\n 96 hours have passed since last successful connection to the Data Store. This server will no longer accept connections until successful connection to the Data Store is established.. The MetaFrame Presentation Server failed to connect to the Data Store. Error - %1 Invalid database user name or password. Ensure they are correct. If not, use DSMAINT CONFIG to change them. The MetaFrame Presentation Server failed to connect to the Data Store. Error - %1 The database is down or there is a network failure. The MetaFrame Presentation Server failed to connect to the Data Store. Error - %1 An unknown failure occurred while connecting to the database. Unable to bind to group context in data store. Group consistency check\r\nwill not run. (Result: %1)\r\n Unable to locate groups in data store at DN %1. Group consistency check will\r\nnot run. (Result: %2)\r\n Group Consistency Check: Group at DN %1 is missing the GroupMember Attribute.\r\n Group Consistency Check: Group at DN %1 contained reference to an unknown\r\nobject with type %3 and UID %2.\r\n
3607 3608
Error Error
3609
Error
3610 3611
Error Error
3612 3613
Error Error
3614
Warning
3615 3616
Warning Warning
3840 3841 3842 3843
Error Error Error Error
306
Message ID 3844 3845
Severity Error Error
Message Text Group Consistency Check: Group at DN %3 contains an object with UID %1\r\nand type %2. This object is missing the %4 attribute.\r\n Group Consistency Check: Group at DN %3 is contains an object with UID %1\r\nand type %2. This object is missing the value for the %4 attribute.\r\n Unable to bind to server contexts in data store. Server consistency\r\ncheck will not run. (Result: %1)\r\n Server Consistency Check: Unable to locate host records in data store. The\r\nserver host record consistency check will not run. (Result: %1)\r\n Server Consistency Check: Unable to locate common server records in data\r\nstore. The common server consistency check will not run. (Result: %1)\r\n Server Consistency Check: Unable to locate MetaFrame Presentation Server records in data\r\nstore. The MetaFrame server consistency check will not run. (Result: %1)\r\n Server Consistency Check: Host record for HostName %2 at DN %1 references a\r\nCommon Server record that cannot be found in the data store.\r\n Server Consistency Check: Host record for HostName %2 at DN %1 references a\r\nCommon Server record that has a HostName of %3. This mismatch is an error.\r\n Server Consistency Check: Host record for HostName %2 at DN %1 references a\r\nCommon Server record that cannot be found in the data store. (Result: %3)\r\n Server Consistency Check: Common Server record for HostName %2 at DN %1\r\nreferences a Host record that cannot be found in the data store.\r\n Server Consistency Check: Common Server record for HostName %2 at DN %1 has\r\na HostID of %3. The corresponding Host record has a HostID of %4. This\r\nmismatch is an error.\r\n Server Consistency Check: Common Server record for HostName %2 at DN %1\r\nreferences a Host record that cannot be found in the data store. (Result: %3)\r\n Server Consistency Check: The Common Server record with HostName %1 at DN %2\r\nis invalid. There is no registered server product for this record.\r\n. Server Consistency Check: The Common Server record with HostName %1 at DN %2\r\nis invalid. The corresponding MetaFrame Presentation Server record cannot be accessed.\r\n.
3872 3873
Error Error
3874
Error
3875
Error
3876
Error
3877
Error
3878
Error
3879
Error
3880
Error
3881
Error
3882
Error
3883
Error
307
Message ID 3884
Severity Error
Message Text Server Consistency Check: The MetaFrame Presentation Server record with HostName %1 at\r\nDN %2 is invalid. The associated Common Server UID is not set.\r\n. Server Consistency Check: The MetaFrame Presentation Server record with HostName %1 at DN %2\r\nis invalid. The associated Common Server record cannot be accessed.\r\n Server Consistency Check: The MetaFrame Presentation Server record with HostName %1 at\r\nDN %2 may be invalid. The MetaFrame Presentation Server record HostID of %3 does not match\r\nthe Common Server record HostID of %4.\r\n Server Consistency Check: The MetaFrame Presentation Server record with HostName %1 at\r\nDN %2 is invalid. The associated Common Server record has a different\r\nHostName (%3).\r\n Server Consistency Check: Unable to locate Load Manager for MetaFrame XP(TM) Server entry for HostName %1. \r\n(Result: %2)\r\n Server Consistency Check: The MetaFrame Presentation Server record with HostName %1 at\r\nDN %2 may be invalid. The Load Manager for MetaFrame XP(TM) Server entry was not found.\r\n Server Consistency Check: The MetaFrame Presentation Server record with HostName %1 at\r\nDN %2 is invalid. The associated Account Authority Server record was not found.\r\n Unable to bind to application contexts in data store. Application consistency\r\ncheck will not run. (Result: %1)\r\n Application Consistency Check: Unable to locate Common Application records\r\nin the data store. Common application consistency check will not run. \r\n(Result: %1)\r\n Application Consistency Check: Unable to locate MetaFrame Application records\r\nin the data store. MetaFrame application consistency check will not run. \r\n(Result: %1)\r\n Application Consistency Check: The Common Application record at DN %1 does not\r\nhave a Friendly Name. (Result: %2)\r\n Application Consistency Check: The Common Application record at DN %1 does not\r\nhave a Browser Name. (Result: %2)\r\n Application Consistency Check: The Common Application record with Friendly\r\nName %1 at DN %2 does not have a specialized application UID. (Result: %3)\r\n Application Consistency Check: The Common Application record with Friendly\r\nName %1 at DN %2 references a MetaFrame Application record that cannot be\r\naccessed. (Result: %3)\r\n
3885
Error
3886
Error
3887
Error
3888
Error
3889
Error
3890
Error
3904 3905
Error Error
3906
Error
3907 3908 3909
Error Error Error
3910
Error
308
Message ID 3911
Severity Error
Message Text Application Consistency Check: The Common Application record with Friendly\r\nName %1 at DN %2 references a MetaFrame Application record. This record does\r\nnot have a Friendly Name. (Result: %3)\r\n Application Consistency Check: The Common Application record with Friendly\r\nName %1 at DN %2 references a MetaFrame Application record. This record does\r\nnot have a Browser Name. (Result: %3)\r\n Application Consistency Check: The Common Application record at DN %2 has a\r\nFriendly Name of %1. The corresponding MetaFrame Application record has a\r\nFriendly Name of %3. This mismatch is an error.\r\n Application Consistency Check: The Common Application record at DN %2 has a\r\nBrowser Name of %1. The corresponding MetaFrame Application record has a\r\nBrowser Name of %3. This mismatch is an error.\r\n Application Consistency Check: The MetaFrame Application record at DN %1 does\r\nnot have a Friendly Name. (Result: %2)\r\n Application Consistency Check: The MetaFrame Application record at DN %1 does\r\nnot have a Browser Name. (Result: %2)\r\n Application Consistency Check: The MetaFrame Application record with Friendly\r\nName %1 at DN %2 does not have a common application UID. (Result: %3)\r\n Application Consistency Check: The MetaFrame Application record with Friendly\r\nName %1 at DN %2 references a Common Application record (UID %3) that cannot be\r\naccessed. (Result: %4)\r\n Application Consistency Check: The MetaFrame Application record with Friendly\r\nName %1 at DN %2 references a Common Application record. This record does\r\nnot have a Friendly Name. (Result: %3)\r\n Application Consistency Check: The MetaFrame Application record with Friendly\r\nName %1 at DN %2 references a Common Application record. This record does\r\nnot have a Browser Name. (Result: %3)\r\n Application Consistency Check: The MetaFrame Application record at DN %2 has a\r\nFriendly Name of %1. The corresponding Common Application record has a\r\nFriendly Name of %3. This mismatch is an error.\r\n
3912
Error
3913
Error
3914
Error
3915 3916 3917
Error Error Error
3918
Error
3919
Error
3920
Error
3921
Error
309
Message ID 3922
Severity Error
Message Text Application Consistency Check: The MetaFrame Application record at DN %2 has a\r\nBrowser Name of %1. The corresponding Common Application record has a\r\nBrowser Name of %3. This mismatch is an error.\r\n Common Application cleanup, deleting record at DN <%1> MetaFrame Application cleanup, deleting record at DN <%1> MetaFrame Presentation Server cleanup, deleting record at DN <%1> Common Server cleanup, deleting record at DN <%1> Server Host Record cleanup, deleting record at DN <%1> Unable to open Citrix Runtime registry key. Application terminated. \r\n(Status: %1)\r\n Unable to read Neighborhood name from registry. Application terminated. \r\n(Status: %1)\r\n Unable to initialize Data Store connection. This server must have a direct\r\nconnection to the data store. Application terminated. (Result: %1)\r\n Data Store Validation Utility. Version: %1 Unable to initialize event log. Messages will be displayed on console only.\r\n Some consistency checks were unsuccessful. Results below indicate the number\r\nof errors or -1 for test not run: Server Errors = %1,\r\nApplication Errors = %2, Group Errors = %3.\r\n All consistency checks were successful. Some consistency checks were unsuccessful. Results below indicate the number of errors or -1 for test not run: Server Errors = %1, Application Errors = %2, Group Errors = %3. The Data Collector is out of memory, and the Dynamic Store data might be out of sync.\r\n Elect a new Data Collector and ensure that you have enough memory on the new Data Collector.\r\n.
3936 3937 3938 3939 3940 3952 3953 3954
Error Error Error Error Error Error Error Error
3956 3957 3958
Error Error Error
3959 3960
Error Error
3961
Error
310
IMA Subsystem Tracing

Use the information in this table to determine which registry keys need to be activated for different MetaFrame Presentation Server systems.
MetaFrame Presentation Server System Application Management, Application Folders COM/SDK, Presentation Server Console Common Application settings (Load Manager, Installation Manager, Unix) Common Server (common farm server properties and server enumeration) Data store (including ) Subsystems to Trace ImaAdminSal Remote Access ImaAppSal, ImaAppSs ImaSrvSal, ImaSrvSs
Directory Subsystem, System\DataStoreDriver, Profiling\DataStore, Profiling\, Runtime\PersistentStore Runtime\DynamicStore, Profiling\DynamicStore IMA_FileSS ImaGrpSal, IMAGroup Runtime\HostResolver IMA_Browser ImaRpc, ImaLicRpc, ImaMfRpc ImsSal LmsSal, LMS_Subsystem MfAppSal, MFApp MfSrvSal, MFSrvSs Policy MfPrintSal, IMA_Printer, ImaRelSal, IMARelationship ImaDistSal, IMADistribution
Dynamic Store File Browsing Folder Enumeration Host Resolver IMA Browser IMA Program Interface (Windows Terminal Services, other software) IMS Load Management MetaFrame Applications (enumeration and properties) MetaFrame Server Properties (ICA Display, MetaFrame Settings) Policy Printer Management and Printer Drivers Printer Replication
311
MetaFrame Presentation Server System Program Neighborhood Remote Access Runtime Service Locator Subscription Manager User Management (User Lists, Viewing and Launching Applications. Network Printer Autocreation) Zone Manager
Subsystems to Trace MfPNSal RemoteAccess, Remote Access Runtime\Runtime Runtime\ServiceLocator Runtime\SubscriptionManager ImaUserSal, IMA_AAMS, WinDrvSS, NDSDrvSS Runtime\ZoneManager
312
Presentation Server Console Error Codes

The information in the following table relates to Presentation Server Console errors and should be referenced when you call Citrix Technical Support for help. Citrix Technical Support requires the information in the last column; this information does not appear in any other documentation.
ERROR CODE (DECIMAL) -1072297322 ERROR CODE (HEX) ERROR MESSAGE C0160A96 AN ERROR OCCURRED WHILE ATTEMPTING TO RETRIEVE THE BACKUP FARM METRIC SERVER DETAILS. THE ERROR RETURNED WAS: ~0~. AN ERROR OCCURRED WHILE ATTEMPTING TO SET THE FARM METRIC SERVERS. THE ERROR RETURNED WAS: ~0~. THE BACKUP FARM METRIC SERVER MAY NOT BE IDENTICAL TO THE PRIMARY FARM METRIC SERVER. CHOOSE A DIFFERENT BACKUP FARM METRIC SERVER. NO ALARM OBJECTS HAVE BEEN RETURNED FROM THE MONITOR. CANNOT RETRIEVE COUNTER INSTANCE NAMES. COULD NOT RETRIEVE THE LIST OF IGNORED PROCESSES. COULD NOT SAVE THE NEW LIST OF IGNORED PROCESSES. COULD NOT SAVE THE NEW LIST OF IGNORED PROCESSES: ~0~. THE APPLICATION NAME IS INVALID. IT CANNOT CONTAIN ANY OF THE FOLLOWING CHARACTERS: ~0~. THERE WAS NO RESPONSE FROM RESOURCE MANAGER. ERROR COMES FROM RESOURCEMGR
-1072297321
C0160A97
RESOURCEMGR
-1072297320
C0160A98
RESOURCEMGR
-1072297319 -1072297318 -1072297318 -1072297302 -1072297301 -1072297300 -1072297282
C0160A99 C0160A9A C0160AAA C0160AAB C0160AAC C0160ABE
RESOURCEMGR RESOURCEMGR RESOURCEMGR RESOURCEMGR RESOURCEMGR RESOURCEMGR
-1072297281
C0160ABF
RESOURCEMGR
313
ERROR CODE (DECIMAL) -1072297280
ERROR CODE (HEX) ERROR MESSAGE C0160AC0 AN ERROR OCCURRED WHEN ATTEMPTING TO CREATE THE APPLICATION. THE ERROR RETURNED WAS: ~0~. YOU MUST SPECIFY AN APPLICATION NAME. YOU MUST SPECIFY THE FULL PATH AND FILENAME OF THE APPLICATION. YOU MUST SELECT AT LEAST ONE SERVER. YOU HAVE NOT PROVIDED A NEW APPLICATION NAME. THIS APPLICATION NAME ALREADY EXISTS. ENTER A DIFFERENT APPLICATION NAME. AN ERROR OCCURRED WHEN ATTEMPTING TO UPDATE THE APPLICATION PROPERTIES. THE ERROR RETURNED WAS: ~0~. ERROR SENDING REQUEST FOR COUNTER LIST FROM FARM METRIC SERVER. ERROR TALKING TO THE MONITOR SUBSYSTEM. ERROR UPDATING APPLICATION PROPERTIES. CONFIRM THAT THE DATA STORE CAN BE ACCESSED. AN OBJECT WITH THE SAME NAME ALREADY EXISTS IN THE TARGET FOLDER! AN UNEXPECTED ERROR OCCURRED WHEN TRYING TO MOVE THE APPLICATION. THE ERROR RETURNED WAS: ~0~. THE APPLICATION NAME CAN BE NO LONGER THAN ~0~ CHARACTERS.
ERROR COMES FROM RESOURCEMGR
-1072297277 -1072297276
C0160AC3 C0160AC4
RESOURCEMGR RESOURCEMGR
-1072297275 -1072297274 -1072297273
C0160AC5 C0160AC6 C0160AC7
RESOURCEMGR RESOURCEMGR RESOURCEMGR
-1072297272
C0160AC8
RESOURCEMGR
-1072297271
C0160AC9
RESOURCEMGR
-1072297270 -1072297268
C0160ACA C0160ACC
-1072297267
C0160ACD
RESOURCEMGR
-1072297266
C0160ACE
RESOURCEMGR
-1072297265
C0160ACF
RESOURCEMGR
314
ERROR CODE (DECIMAL) -1072297262 -1072297261 -1072297260 -1072297259 -1072297258
ERROR CODE (HEX) ERROR MESSAGE C0160AD2 C0160AD3 C0160AD4 C0160AD5 C0160AD6 ERROR READING APPLICATION METRIC PROPERTIES INFORMATION. ERROR RETRIEVING METRIC PROPERTIES. ERROR WRITING APPLICATION METRIC PROPERTIES INFORMATION. ERROR WRITING SERVER METRIC PROPERTIES INFORMATION. AN ERROR OCCURRED WHILE UPDATING THE APPLICATION METRICS. AN ERROR OCCURRED WHILE UPDATING THE APPLICATION METRIC PROPERTIES. SERVER_ADD_REMOVE_METRICS_ WRITE_ERROR SERVER_RESTORE_METRICS_WRIT E_ERROR AN UNKNOWN ERROR OCCURRED WHILE TRYING TO GET THE LOG FOR ~0~. AN UNEXPECTED ERROR OCCURRED RETRIEVING THE REBOOT MESSAGE DETAILS. THE ERROR RETURNED WAS: ~0~. AN UNEXPECTED ERROR OCCURRED SETTING THE REBOOT MESSAGE DETAILS. THE ERROR RETURNED WAS: ~0~. ERROR SENDING REQUEST FOR COUNTER LIST FROM FARM METRIC SERVER.
ERROR COMES FROM RESOURCEMGR RESOURCEMGR RESOURCEMGR RESOURCEMGR RESOURCEMGR
-1072297257
C0160AD7
RESOURCEMGR
C0160AD8 C0160AD9 -1072297245 C0160AE3
-1072297251
C0160ADD
RESOURCEMGR
-1072297250
C0160ADE
RESOURCEMGR
-1072297231
C0160AF1
RESOURCEMGR
315
ERROR CODE (HEX) ERROR MESSAGE C0160AF2 THE FARM METRIC SERVER(S) CANNOT BE CONTACTED. THIS WILL CAUSE RESOURCE MANAGER TO FUNCTION INCORRECTLY. CHECK THAT THE FARM METRIC SERVER(S) ARE RUNNING AND CAN BE CONTACTED. FAILED TO SET ALERTS CONFIGURATION FAILED TO SET SNMP ALERTS CONFIGURATION: ~0~. MUST SUPPLY A GATEWAY NAME. MUST SUPPLY A USER NAME. MUST SUPPLY A GROUP NAME. GATEWAY "~0~" ALREADY EXISTS. USER OR GROUP NAME "~0~" ALREADY EXISTS. ILLEGAL CHARACTER(S) IN PHONE NUMBER. CANNOT ADD A USER - CONFIGURE A GATEWAY FIRST. CANNOT ADD A GROUP CONFIGURE A USER FIRST CANNOT DELETE GATEWAY WHILE A USER ITEM STILL REFERS TO IT. ILLEGAL CHARACTER(S) IN PREFIX. FAILED TO RETRIEVE REPORT: ~0~. THIS REPORT COULD NOT BE SAVED. CHECK THAT THE SERVER IS ONLINE AND THE LOCATION THAT THE FILE IS TO BE SAVED EXISTS AND THAT YOU HAVE THE NECESSARY PERMISSIONS TO SAVE FILES IN THAT LOCATION.
-1072297221 -1072297216 -1072297200 -1072297199 -1072297198 -1072297197 -1072297196 -1072297195 -1072297194 -1072297193 -1072297192 -1072297191 -1072297182 -1072297180
C0160AFB C0160B00 C0160B10 C0160B11 C0160B12 C0160B13 C0160B14 C0160B15 C0160B16 C0160B17 C0160B18 C0160B19 C0160B22 C0160B24
RESOURCEMGR RESOURCEMGR RESOURCEMGR RESOURCEMGR RESOURCEMGR RESOURCEMGR RESOURCEMGR RESOURCEMGR RESOURCEMGR RESOURCEMGR RESOURCEMGR RESOURCEMGR RESOURCEMGR RESOURCEMGR
316
ERROR CODE (DECIMAL) -1072297179 -1072297142 -1072297141 -1072297140 -1072297139
ERROR CODE (HEX) ERROR MESSAGE C0160B25 C0160B4A C0160B4B C0160B4C C0160B4D FAILED TO CONVERT REPORT: ~0~. CITRIX RESOURCE MANAGER IS NOT LICENSED. UNABLE TO CONTACT IMA SERVICE RUNNING ON UNABLE TO CONTACT IMA SERVICE RUNNING ON RECEIVED AN INVALID PACKET FROM THE IMA SERVICE RUNNING ON FAILED TO GENERATE SERVER SUMMARY REPORT. CHECK THAT THE DBMS AND DATABASE CONNECTION SERVERS, AND THE IMA CONNECTION TO THE DATABASE CONNECTION SERVER ARE WORKING PROPERLY. FAILED TO GENERATE USER SUMMARY REPORT. CHECK THAT THE DBMS AND DATABASE CONNECTION SERVERS, AND THE IMA CONNECTION TO THE DATABASE CONNECTION SERVER ARE WORKING PROPERLY. FAILED TO GENERATE PROCESS SUMMARY REPORT. CHECK THAT THE DBMS AND DATABASE CONNECTION SERVERS, AND THE IMA CONNECTION TO THE DATABASE CONNECTION SERVER ARE WORKING PROPERLY. FAILED TO CREATE SERVER SNAPSHOT REPORT FAILED TO CREATE CURRENT USER REPORT FAILED TO CREATE CURRENT PROCESS REPORT
ERROR COMES FROM RESOURCEMGR RESOURCEMGR RESOURCEMGR RESOURCEMGR RESOURCEMGR
-1072297132
C0160B54
RESOURCEMGR
-1072297131
C0160B55
RESOURCEMGR
-1072297130
C0160B56
RESOURCEMGR
-1072297129 -1072297128 -1072297127
C0160B57 C0160B58 C0160B59
317
ERROR CODE (HEX) ERROR MESSAGE C0160B5A UNABLE TO COMMUNICATE WITH THE RESOURCE MANAGER DATABASE CONNECTION SERVER. SUMMARY REPORTS WILL NOT BE AVAILABLE. UNABLE TO COMMUNICATE WITH THE RESOURCE MANAGER DATABASE CONNECTION SERVER. SUMMARY REPORTS WILL NOT BE AVAILABLE. UNABLE TO COMMUNICATE WITH THE RESOURCE MANAGER DATABASE CONNECTION SERVER. SUMMARY REPORTS WILL NOT BE AVAILABLE. UNABLE TO COMMUNICATE WITH THE RESOURCE MANAGER LOCAL DATABASE. CURRENT REPORTS WILL NOT BE AVAILABLE UNABLE TO COMMUNICATE WITH THE RESOURCE MANAGER LOCAL DATABASE. CURRENT REPORTS WILL NOT BE AVAILABLE UNABLE TO COMMUNICATE WITH THE RESOURCE MANAGER LOCAL DATABASE. CURRENT REPORTS WILL NOT BE AVAILABLE THE SUMMARY DATABASE DOES NOT CONTAIN ENOUGH INFORMATION TO GENERATE A PROCESS SUMMARY REPORT. THE SUMMARY DATABASE CONTAINS NO SERVER INFORMATION. THE SUMMARY DATABASE DOES NOT CONTAIN ENOUGH INFORMATION TO GENERATE A USER SUMMARY REPORT. FAILED TO SAVE REPORTS
-1072297125
C0160B5B
RESOURCEMGR
-1072297124
C0160B5C
RESOURCEMGR
-1072297123
C0160B5D
RESOURCEMGR
-1072297122
C0160B5E
RESOURCEMGR
-1072297121
C0160B5F
RESOURCEMGR
-1072297120
C0160B60
RESOURCEMGR
-1072297119
C0160B61
RESOURCEMGR
-1072297118
C0160B62
RESOURCEMGR
-1072297117
C0160B63
RESOURCEMGR
318
ERROR CODE (HEX) ERROR MESSAGE C0160B64 UNABLE TO IDENTIFY THE SUMMARY DATABASE SOFTWARE VERSIONS. SUMMARY DATABASE FUNCTIONALITY MAY NOT OPERATE CORRECTLY IN THE PRESENTATION SERVER CONSOLE. UNABLE TO IDENTIFY ANY RESOURCE MANAGER SUMMARY DATABASE SERVERS IN THE FARM. ALL START TIMES SHOULD BE LESS THAN THE STOP TIMES SUMMARY DATABASE FUNCTIONALITY CANNOT BE ENABLED WITHOUT A DATABASE CONNECTION SERVER BEING SET. UNABLE TO IDENTIFY DATABASE CONNECTION SERVER ERROR SAVING FILE ~0~. CHECK ACCESS PERMISSIONS. ERROR SETTING THE METHOD OF SENDING E-MAIL ALERTS. FAILED TO READ SMTP SERVER CONFIGURATION. FAILED TO SET SMTP SERVER CONFIGURATION. FAILED TO SET SMTP RECIPIENT ADDRESSES. FAILED TO READ SMTP RECIPIENT ADDRESSES. A TIMEOUT HAS OCCURED! PLEASE TRY AGAIN! A FOLDER NAME CANNOT CONTAIN ANY OF THE FOLLOWING CHARACTERS: \ / : * ? " < > | PLEASE ENTER A FOLDER NAME!
-1072297115
C0160B65
RESOURCEMGR
-1072297114 -1072297252
C0160B66 C0160ADC
-1072297113
C0160B67 C0160B68 C0160B69 C0160B6A C0160B6B C0160B6C C0160B6D
RESOURCEMGR RESOURCEMGR RESOURCEMGR RESOURCEMGR RESOURCEMGR RESOURCEMGR RESOURCEMGR SERVGRPMGR ADMINMGR
500 510
1F4 1FE
511
1FF
ADMINMGR
319
ERROR CODE (DECIMAL) 512 513 514
ERROR CODE (HEX) ERROR MESSAGE 200 201 202 ACTION FAILED! CAN'T RENAME FOLDER! THE SELECTED FOLDER IS NOT EMPTY. A FOLDER CANNOT BE DELETED UNTIL IT IS EMPTY. CAN'T DELETE FOLDER! THE SELECTED FOLDER IS NOT EMPTY. A FOLDER CANNOT BE MOVED UNTIL IT IS EMPTY. CAN'T MOVE FOLDER! A FOLDER NAME CANNOT CONTAIN MORE THAN 256 CHARACTERS! THE LICENSE LIST IS INCOMPLETE. THE REQUEST FOR INFORMATION COULD HAVE TIMED OUT. FAILED TO INITIALIZE LIST CONTROL. THERE WAS AN UNEXPECTED INTERNAL ERROR IN PROCESSING THIS ACTION. THE VIEW COULD NOT BE REFRESHED. THE VIEW COULD NOT BE FOUND. THE VIEW COULD NOT BE REFRESHED. THE SELECTION IN THE TREE CHANGED UNEXPECTEDLY. THE LICENSE LIST IS INCOMPLETE. AN ERROR OCCURRED WHILE GETTING THE INFORMATION. YOU MUST HAVE ADMINISTRATOR RIGHTS TO RUN THIS APPLICATION. THE LICENSE COULD NOT BE ADDED.
ERROR COMES FROM SERVGRPMGR ADMINMGR ADMINMGR
515 516
203 204
ADMINMGR ADMINMGR
517 518 700
205 206 2BC
ADMINMGR ADMINMGR LICENSEMGR
701 702
2BD 2BE
LICENSEMGR LICENSEMGR
703
2BF
LICENSEMGR
704
2C0
LICENSEMGR
705
2C1
LICENSEMGR
710 800
2C6 320
320
ERROR CODE (DECIMAL) 801 802
ERROR CODE (HEX) ERROR MESSAGE 321 322 THE LICENSE COULD NOT BE ADDED. IT IS ALREADY INSTALLED. THE LICENSE COULD NOT BE ADDED. IT IS NOT A VALID SERIAL NUMBER. THE LICENSE COULD NOT BE ADDED. THE LICENSING SUBSYSTEM DID NOT RESPOND. THE LICENSE COULD NOT BE ADDED. THE PRODUCT ASSOCIATED WITH THIS LICENSE WAS NOT FOUND IN THIS FARM. THE SERIAL NUMBER MUST BE ENTERED IN THE FOLLOWING FORMAT: XXXXX-XXXXX-XXXXXXXXXX-XXXXX. YOU HAVE REACHED THE MAXIMUM NUMBER OF LICENSE PACKS ALLOWED PER SERVER. YOU CANNOT INSTALL ADDITIONAL LICENSE PACKS. PLEASE CONTACT CITRIX TECHNICAL SUPPORT. PLEASE ENTER A SERIAL NUMBER. THE LICENSE COULD NOT BE REMOVED. NONE OF THE SELECTED LICENSES COULD BE REMOVED. NOT ALL OF THE LICENSES WERE SUCCESSFULLY REMOVED. THERE MIGHT BE A DELAY BEFORE THE LICENSE INFORMATION IS UPDATED. THIS PRODUCT LICENSE CANNOT BE REMOVED. THERE WAS AN UNEXPECTED INTERNAL ERROR IN REMOVING THESE LICENSES.
ERROR COMES FROM LICENSEMGR LICENSEMGR
803
323
LICENSEMGR
804
324
LICENSEMGR
805
325
LICENSEMGR
806
326
LICENSEMGR
807 820 821 822
327 334 335 336
LICENSEMGR LICENSEMGR LICENSEMGR LICENSEMGR
823 824
337 338
321
ERROR CODE (DECIMAL) 825
ERROR CODE (HEX) ERROR MESSAGE 339 THE LICENSE MAY OR MAY NOT HAVE BEEN REMOVED BECAUSE THE REQUEST TIMED OUT. THERE MIGHT BE A DELAY BEFORE THE LICENSE INFORMATION IS UPDATED. THE LICENSES MAY OR MAY NOT HAVE BEEN REMOVED BECAUSE THE REQUEST TIMED OUT. THERE MIGHT BE A DELAY BEFORE THE LICENSE INFORMATION IS UPDATED. THE ACTIVATION CODE MUST BE ENTERED IN THE FOLLOWING FORMAT: XXXXX-XXXXX. THE LICENSE COULD NOT BE ACTIVATED. IT MAY ALREADY BE ACTIVATED. THE LICENSE COULD NOT BE ACTIVATED. THE ACTIVATION CODE IS INCORRECT. CHECK THAT YOU ENTERED THE CODE CORRECTLY. THE LICENSE COULD NOT BE ACTIVATED. THE LICENSING SUBSYSTEM DID NOT RESPOND. PLEASE ENTER AN ACTIVATION CODE. COULD NOT FIND ASSIGNMENT DATA. THERE ARE NO LICENSES IN THIS LICENSE SET. ALL OF THE LICENSES IN THIS LICENSE SET ARE ALREADY ASSIGNED TO SERVERS. THE LICENSE COULD NOT BE ASSIGNED.
ERROR COMES FROM LICENSEMGR
826
33A
LICENSEMGR
830
33E
LICENSEMGR
831
33F
LICENSEMGR
832
340
LICENSEMGR
833
341
LICENSEMGR
834 850 851 852
342 352 353 354
LICENSEMGR LICENSEMGR LICENSEMGR LICENSEMGR
853
355
LICENSEMGR
322
ERROR CODE (HEX) ERROR MESSAGE 356 THE FULL <LICENSE NUMBER> COULD NOT BE ASSIGNED. ONLY <NUMBER> WAS ASSIGNED. IT MAY TAKE A MOMENT FOR THIS CHANGE TO APPEAR FULLY IN THE VIEWS. PLEASE SELECT A SERVER IN THE TREE. THE LICENSE COULD NOT BE ASSIGNED. YOU CANNOT ASSIGN MORE THAN ONE OF EACH PRODUCT LICENSE TO A SERVER. PLEASE ENTER A VALUE BETWEEN 1 AND <NUMBER>. THIS ASSIGNMENT ALREADY EXISTS. THIS PRODUCT LICENSE HAS ALREADY BEEN ASSIGNED TO THE SELECTED SERVER. THERE ARE NO LICENSES INSTALLED ON THIS FARM. YOU MUST ADD (AND ACTIVATE) ONE OR MORE LICENSES TO MAKE THEM AVAILABLE FOR ASSIGNMENT. NONE OF THE LICENSES INSTALLED ON THIS FARM ARE AVAILABLE FOR ASSIGNMENT. YOU CANNOT ASSIGN INACTIVATED, EVALUATION, OR EXPIRED LICENSES TO A CITRIX SERVER. FOR EXISTING LICENSE ASSIGNMENTS, YOU MUST DROP OR REDUCE THE ASSIGNMENT BEFORE YOU CAN ASSIGN THE LICENSE TO A NEW CITRIX SERVER. THE SELECTED ASSIGNMENT COULD NOT BE DROPPED. SOME OF THE SELECTED ASSIGNMENTS COULD NOT BE DROPPED. THERE MIGHT BE A DELAY BEFORE THE LICENSE INFORMATION IS UPDATED.
855 856
357 358
857 858
359 35A
859
35B
LICENSEMGR
860
35C
LICENSEMGR
870 871
366 367
323
ERROR CODE (HEX) ERROR MESSAGE 368 NONE OF THE SELECTED ASSIGNMENTS COULD BE DROPPED. LICENSE ASSIGNMENT COULD NOT BE CHANGED. THE FULL <LICENSE NUMBER> COULD NOT BE ASSIGNED. ONLY <NUMBER> WAS ASSIGNED. IT MAY TAKE A MOMENT FOR THIS CHANGE TO APPEAR FULLY IN THE VIEWS. THIS LICENSE CANNOT BE POOLED. AN UNKNOWN ERROR OCCURRED WHILE LOADING <PLUGIN NAME> ITS FEATURES WILL NOT BE AVAILABLE DURING THIS SESSION. FARM LOGON ERROR PASS-THROUGH AUTHENTICATION FAILED, FAILED TO CONNECT TO SERVER <SERVER> 514 515 THE ICA DISPLAY SETTINGS COULD NOT BE CHANGED. THE PRODUCT CODE YOU ENTERED WAS INVALID. THE SERVER'S PRODUCT CODE HAS NOT BEEN CHANGED. THE PRODUCT CODE YOU ENTERED WAS INVALID. NONE OF THE SERVERS' PRODUCT CODES HAVE BEEN CHANGED. THE PRODUCT CODE COULD NOT BE CHANGED. THE VALUE ENTERED FOR "MAXIMUM MEMORY TO USE FOR EACH SESSION'S GRAPHICS" IS INVALID. PLEASE ENTER A VALUE BETWEEN 150 KILOBYTES AND 8192 KILOBYTES.
880 881
370 371
882 1100
372
LICENSEMGR PLUGINMGR
1110 1111
PLUGINMGR PLUGINMGR
1300 1301
SERVERMGRNE W SERVERMGRNE W
1302
516
SERVERMGRNE W
1305 1306
519 51A
SERVERMGRNE W SERVERMGRNE W
324
ERROR CODE (HEX) ERROR MESSAGE 51B FAILED TO CHANGE THE LISTENING TCP PORT FOR THE CITRIX XML SERVICE! SOME SERVERS' PRODUCT CODES WERE CHANGED, BUT SOME COULD NOT BE. NONE OF THE SERVERS' PRODUCT CODES COULD BE CHANGED. PLEASE ENSURE THAT THE RESET VALUE IS GREATER OR EQUAL THAN THE SET VALUE. SESSION INFORMATION IS NOT AVAILABLE FOR THIS SESSION. USER INFORMATION WILL BE REFRESHED. FAILED TO DISCONNECT SESSION. USER INFORMATION WILL BE REFRESHED. FAILED TO CONNECT SESSION. USER INFORMATION WILL BE REFRESHED. WRONG PASSWORD. LETTERS IN PASSWORDS MUST BE TYPED USING THE CORRECT CASE. ENSURE THAT CAPS LOCK IS NOT ACCIDENTALLY ON. FAILED TO RESET SESSION. USER INFORMATION WILL BE REFRESHED. UNABLE TO SEND MESSAGE TO THE SELECTED SESSION. USER INFORMATION WILL BE REFRESHED. STATUS INFORMATION IS NOT AVAILABLE FOR THIS SESSION. USER INFORMATION WILL BE REFRESHED. UNABLE TO COLLECT PROCESS DATA FOR THIS SERVER. THE REQUEST TIMED OUT.
ERROR COMES FROM SERVERMGRNE W SERVERMGRNE W SERVERMGRNE W SERVERMGRNE W SERVERMGRNE W
1308
51C
1309 1311
51D 51F
1312
520
1313
521
SERVERMGRNE W SERVERMGRNE W SERVERMGRNE W
1314
522
1314
522
1315 1316
523 524
SERVERMGRNE W SERVERMGRNE W SERVERMGRNE W
1317
525
1318
526
SERVERMGRNE W
325
ERROR CODE (HEX) ERROR MESSAGE 527 UNABLE TO COLLECT SESSION DATA FOR THIS SERVER. THE REQUEST TIMED OUT. THE AUTO CLIENT RECONNECT SETTINGS COULD NOT BE CHANGED. PLEASE CHOOSE A FEATURE RELEASE LEVEL. THE FEATURE RELEASE LEVEL COULD NOT BE CHANGED. THE FILE TYPE ASSOCIATION SETTINGS COULD NOT BE CHANGED. 53D 546 547 THE ENABLE LOGON SETTINGS COULD NOT BE CHANGED. THE ICA KEEP-ALIVE SETTINGS COULD NOT BE CHANGED THE ENTERED ICA KEEP-ALIVE TIME-OUT VALUE IS INVALID. PLEASE ENTER A VALUE BETWEEN 1 AND 3600 SECONDS. THE SPEEDSCREEN SETTINGS COULD NOT BE CHANGED. COULD NOT ENUMERATE PUBLISHED APPLICATIONS FOR THIS SERVER. ERROR CHANGING THE CONNECT TO CONSOLE SETTING. A ZONE WITH THE SAME NAME ALREADY EXISTS! A ZONE CANNOT BE DELETED UNTIL ALL SERVERS HAVE BEEN REMOVED FROM IT! A ZONE MUST CONTAIN AT LEAST ONE SERVER!
ERROR COMES FROM SERVERMGRNE W SERVERMGRNE W SERVERMGRNE W SERVERMGRNE W SERVERMGRNE W SERVERMGRNE W SERVERMGRNE W SERVERMGRNE W
1320
528
1330 1331 1340
532 533
1341 1350 1351
1360 1370
550 55A
SERVERMGRNE W SERVERMGRNE W SERVERMGRNE W IMACORESETTI NGSMGR IMACORESETTI NGSMGR IMACORESETTI NGSMGR
1380 1600 1601
564 640 641
1602
642
326
ERROR CODE (HEX) ERROR MESSAGE 8FD AN ERROR OCCURRED WHILE RETRIEVING INFORMATION FROM INSTALLATION MANAGER. THE INFORMATION DISPLAYED MAY BE INCOMPLETE. IF THE PROBLEM PERSISTS, CONTACT CITRIX TECHNICAL SUPPORT. AN INTERNAL ERROR OCCURED WHILE LOADING DEFAULT ICONS. THE DATA STORE IS NOT AVAILABLE. SOME FEATURES MAY NOT BE AVAILABLE. THE OPERATION TO REMOVE THE SERVER FROM FARM HAS TIMED OUT, BUT IT MAY HAVE SUCCEEDED. THE PERSISTENT STORE SERVER CANNOT BE REMOVED. THE LOAD EVALUATOR NAME IS ALREADY BEING USED. PLEASE USE A DIFFERENT NAME. CANNOT DELETE THE DEFAULT EVALUATOR. THE LOAD EVALUATOR IS STILL IN USE. PLEASE DETACH THE LOAD EVALUATOR FROM ANY SERVERS OR APPLICATIONS BEFORE DELETING. CANNOT DELETE THE DEFAULT EVALUATOR OR LOAD EVALUATORS THAT ARE STILL IN USE. PLEASE DETACH THE LOAD EVALUATORS FROM ANY SERVERS OR APPLICATIONS BEFORE DELETING. AT LEAST ONE LOAD EVALUATOR COULD NOT BE DELETED BECAUSE IT IS STILL IN USE. PLEASE DETACH THE LOAD EVALUATORS FROM ANY SERVERS OR APPLICATIONS BEFORE DELETING.
ERROR COMES FROM IMSMGR
5556 5650
15B4 1612
EXT.WIDGETS.IC ONCHOOSER EXT.FRAMEWOR K. TOOLS ADMINUSERMG R ADMINUSERMG R LMSADMIN
2147483659
8000000B
2147483692 2148598021
8000002C 80110105
2148598022 2148598023
80110106 80110107
LMSADMIN LMSADMIN
2148598022
80110106
LMSADMIN
2148598023
80110107
LMSADMIN
327
ERROR CODE (DECIMAL) VARIOUS 2149318670
ERROR CODE (HEX) ERROR MESSAGE VARIOUS 801C000E AT LEAST ONE LOAD EVALUATOR COULD NOT BE DELETED. THE SERVER IS STILL REACHABLE, AND CANNOT BE REMOVED. IT SHOULD BE REMOVED BY UNINSTALL PROGRAM. COULD NOT READ APPLICATION DATA FROM THE CITRIX SERVER FARM. COULD NOT WRITE APPLICATION DATA TO THE CITRIX SERVER FARM. COULD NOT DELETE APPLICATION DATA FROM THE CITRIX SERVER FARM. DISPLAY NAME NOT SPECIFIED.
ERROR COMES FROM LMSADMIN ADMINUSERMG R
3221553157
C0050005
METAFRAMEPU B APPMGR METAFRAMEPU B APPMGR METAFRAMEPU B APPMGR METAFRAMEPU B APPMGR METAFRAMEPU B APPMGR METAFRAMEPU B APPMGR METAFRAMEPU B APPMGR
3221553158
C0050006
3221553159
C0050007
3221553162
C005000A
3221553163
C005000B
THE DISPLAY NAME ALREADY EXISTS IN THIS APPLICATION FOLDER. THE APPLICATION NAME CANNOT CONTAIN ANY OF THE FOLLOWING CHARACTERS: \/;:.*?=<>|[]()'" THE COMMAND LINE IS REQUIRED TO PUBLISH AN APPLICATION. ENTER THE PATH AND FILENAME OF THE APPLICATION'S EXECUTABLE FILE IN THE COMMAND LINE BOX. THE CONTENT ADDRESS IS REQUIRED TO PUBLISH A CONTENT. ENTER THE UNC OR THE URL ADDRESS FOR THE CONTENT. THE WINDOW SIZE SPECIFIED IS TOO SMALL.
3221553166
C005000E
3221553167
C005000F
3221553167
C005000F
METAFRAMEPU B APPMGR METAFRAMEPU B APPMGR
3221553170
C0050012
328
ERROR CODE (HEX) ERROR MESSAGE C0050013 THE WINDOW SIZE SPECIFIED IS TOO LARGE. FILE PATHS CANNOT CONTAIN ANY OF THE FOLLOWING CHARACTERS: / *?"<>| THE ICA FILE NAME YOU ENTERED CANNOT BE FOUND. USE THE BROWSE BUTTON TO LOCATE AND SELECT THE ICA FILE. UNABLE TO WRITE THE FILE TO DISK. THE DISPLAY NAME CANNOT CONTAIN ANY OF THE FOLLOWING CHARACTERS: \/;:.*?=<>|[]()'" THE APPLICATION HAS A MINIMUM REQUIRED ENCRYPTION LEVEL OF: <LEVEL>. YOU CANNOT CREATE AN ICA FILE WITH AN ENCRYPTION LEVEL LESS THAN THIS. THE APPLICATION HAS A MINIMUM AUDIO REQUIREMENT. YOU MUST SPECIFY AN AUDIO SETTING. YOU MUST ENTER A TCP/IP PORT BETWEEN 1 AND 65536. YOU MUST SPECIFY A SERVER TO GET BROWSING INFORMATION FROM. THE APPLICATION NAME MAY ONLY HAVE A MAXIMUM OF 38 ANSI CHARACTERS, OR 19 UNICODE CHARACTERS.
ERROR COMES FROM METAFRAMEPU B APPMGR METAFRAMEPU B APPMGR METAFRAMEPU B APPMGR METAFRAMEPU B APPMGR METAFRAMEPU B APPMGR METAFRAMEPU B APPMGR
3221553173
C0050015
3221553174
C0050016
3221553175
C0050017
3221553178
C005001A
3221553180
C005001C
3221553181
C005001D
METAFRAMEPU B APPMGR METAFRAMEPU B APPMGR METAFRAMEPU B APPMGR METAFRAMEPU B APPMGR
3221553182
C005001E
3221553182
C005001E
3221553186
C0050022
329
ERROR CODE (HEX) ERROR MESSAGE C0050023 THE SELECTED APPLICATION MAY NOT HAVE BEEN PUBLISHED BECAUSE THE REQUEST HAS TIMED OUT. IF THE PUBLISHED APPLICATION DOES NOT APPEAR IN THE PRESENTATION SERVER CONSOLE, PLEASE TRY AGAIN. THE SELECTED PUBLISHED APPLICATION COULD NOT BE COPIED BECAUSE THE DATA CANNOT BE ACCESSED FROM THE DATA STORE. YOU CANNOT CHANGE THE PROPERTIES OF AN APPLICATION PUBLISHED WITH AN UPDATED VERSION OF METAFRAME PRESENTATION SERVER. TO EDIT THE PROPERTIES, YOU MUST CONNECT TO A METAFRAME PRESENTATION SERVER WITH THE LATEST SERVICE PACK INSTALLED OR INSTALL THE LATEST SERVICE PACK ON ALL METAFRAME PRESENTATION SERVERS IN YOUR FARM. THE ICA FILE WAS NOT CREATED BECAUSE A SERVER HOSTING THE APPLICATION DID NOT RESPOND. PLEASE TRY AGAIN. THE APPLICATION NAME ALREADY EXISTS IN THE SERVER FARM. FAILED TO ADD NETWORK PRINT SERVER <SERVERNAME>. THE SPECIFIED NETWORK PRINT SERVER HAS ALREADY BEEN ADDED. THE SPECIFIED NETWORK PRINT SERVER COULD NOT BE CONTACTED OR HAS NO PRINTERS.
ERROR COMES FROM METAFRAMEPU B APPMGR
3221553188
C0050024
METAFRAMEPU B APPMGR
3221553189
C0050025
METAFRAMEPU B APPMGR
3221553190
C0050026
METAFRAMEPU B APPMGR METAFRAMEPU B APPMGR PRINTERMGR PRINTERMGR
3221553191
C0050027
3222470657 3222470658
C0130001 C0130002
3222470659
C0130003
PRINTERMGR
330
ERROR CODE (HEX) ERROR MESSAGE C0130004 C0130005 C0130006 YOU MUST ENTER A USER NAME. FAILED TO DELETE NETWORK PRINT SERVER <SERVERNAME>. FAILED TO REFRESH NETWORK PRINT SERVER DATA FOR SERVER <SERVERNAME>. COULD NOT ENUMERATE ALL PRINTERS. COULD NOT ENUMERATE PRINTERS FOR SERVER <SERVERNAME>. COULD NOT ENUMERATE ALL DRIVERS. COULD NOT ENUMERATE DRIVERS FOR SERVER <SERVERNAME>. COULD NOT ENUMERATE METAFRAME SERVERS FOR THIS FARM. COULD NOT ENUMERATE SERVERS THAT HAVE PRINT DRIVER <DRIVERNAME>. REPLICATION FAILED. REPLICATION FROM SERVER <SERVERNAME> FAILED. THE DRIVERS YOU SELECTED ARE FOR DIFFERENT PLATFORMS. WHEN SELECTING MULTIPLE DRIVERS, ALL DRIVERS MUST BE FOR THE SAME PLATFORM. COULD NOT ENUMERATE OPERATING SYSTEM PLATFORMS. THE SPECIFIED DRIVER ALREADY EXISTS IN THE COMPATIBILITY LIST. FAILED TO SET COMPATIBILITY LIST.
ERROR COMES FROM PRINTERMGR PRINTERMGR PRINTERMGR
3222470663 3222470664 3222470665 3222470666 3222470667
C0130007 C0130008 C0130009 C013000A C013000B
PRINTERMGR PRINTERMGR PRINTERMGR PRINTERMGR PRINTERMGR
3222470668
C013000C
PRINTERMGR
3222470669 3222470670 3222470671
C013000D C013000E C013000F
PRINTERMGR PRINTERMGR PRINTERMGR
3222470672 3222470673 3222470674
C0130010 C0130011 C0130012
331
ERROR CODE (DECIMAL) 3222470675 3222470676 3222470677 3222470678 3222470680
ERROR CODE (HEX) ERROR MESSAGE C0130013 C0130014 C0130015 C0130016 C0130018 COULD NOT ENUMERATE DRIVER MAPPING LIST. FAILED TO SET DRIVER MAPPING LIST. COULD NOT ENUMERATE BANDWIDTH LIMITS. FAILED TO SET BANDWIDTH LIMITS. COULD NOT ENUMERATE USERS AND GROUPS CONFIGURED FOR PRINTER <PRINTERNAME>. COULD NOT ENUMERATE ALL USERS AND GROUPS FOR SPECIFIED DOMAIN. FAILED TO SET AUTO-CREATION SETTINGS FOR PRINTER <PRINTERNAME>. FAILED TO COPY AUTO-CREATION SETTINGS FROM PRINTER <PRINTERNAME>. COULD NOT ENUMERATE CLIENT PRINTER LIST. THE SPECIFIED CLIENT PRINTER ALREADY EXISTS IN THE LIST. THE SPECIFIED PORT HAS ALREADY BEEN ASSIGNED FOR THIS CLIENT. COULD NOT ENUMERATE AUTOREPLICATION LIST. FAILED TO SET AUTO-REPLICATION LIST. COULD NOT ENUMERATE COMPATIBILITY LIST. THE SPECIFIED CLIENT DRIVER ALREADY EXISTS IN THE MAPPING LIST.
ERROR COMES FROM PRINTERMGR PRINTERMGR PRINTERMGR PRINTERMGR PRINTERMGR
3222470681
C0130019
PRINTERMGR
3222470682
C013001A
PRINTERMGR
3222470684
C013001C
PRINTERMGR
3222470685 3222470686 3222470687 3222470688 3222470689 3222470690 3222470691
C013001D C013001E C013001F C0130020 C0130021 C0130022 C0130023
PRINTERMGR PRINTERMGR PRINTERMGR PRINTERMGR PRINTERMGR PRINTERMGR PRINTERMGR
332
ERROR CODE (HEX) ERROR MESSAGE C0130024 C0130025 C0130026 COULD NOT ENUMERATE DOMAINS. FAILED TO SET CLIENT PRINTER LIST. FAILED TO DETERMINE OPERATING SYSTEM PLATFORM FOR ONE OR MORE SERVERS IN THE FARM. THESE SERVERS CANNOT BE USED AS DESTINATIONS FOR PRINTER DRIVER REPLICATION ACTIONS. THE PRINTER MANAGEMENT SYSTEM ON THE PREFERRED SERVER COULD NOT BE CONTACTED. YOU WILL NOT BE ABLE TO MAKE CHANGES TO PRINTER-RELATED DATA. COULD NOT ENUMERATE SERVERS WITH THE PRINT DRIVER <DRIVERNAME>. THE NAMES OF SOME USERS COULD NOT BE OBTAINED. COULD NOT GET THE PLATFORM FOR SERVER <SERVERNAME>. COULD NOT ENUMERATE NETWORK PRINT SERVERS. FAILED TO GET DRIVER FOR PRINTER <PRINTERNAME> THE SPECIFIED DOMAIN DOES NOT EXIST OR DOES NOT TRUST THE FARM. THE SPECIFIED DRIVER HAS BEEN MARKED INCOMPATIBLE WITH ALL SERVER PLATFORMS IN THE FARM. SEARCH FAILED. AN UNKNOWN ERROR OCCURRED. GENERAL FAILURE.
ERROR COMES FROM PRINTERMGR PRINTERMGR PRINTERMGR
3222470695
C0130027
PRINTERMGR
3222470696
C0130028
PRINTERMGR
3222470697 3222470698 3222470699 3222470700 3222470701
C0130029 C013002A C013002B C013002C C013002D
PRINTERMGR PRINTERMGR PRINTERMGR PRINTERMGR PRINTERMGR
3222470704
C0130030
PRINTERMGR
3222470705 3222503424 3222503425
C0130031 C0138000 C0138001
333
ERROR CODE (DECIMAL) 3222503426 3222503428
ERROR CODE (HEX) ERROR MESSAGE C0138002 C0138004 THERE IS NOT ENOUGH MEMORY TO COMPLETE THE OPERATION. THERE ARE NOT ENOUGH RESOURCES TO COMPLETE THE OPERATION. THE ITEM WAS NOT FOUND. THE OPERATION TIMED OUT. ENUMERATION FAILED. ACCESS IS DENIED. NETWORK FAILURE. THE DESTINATION COULD NOT BE FOUND. THE SERVER COULD NOT BE CONTACTED. AUTHENTICATION FAILED. THE DOMAIN CONTROLLER COULD NOT BE CONTACTED. THE ITEM ALREADY EXISTS. THE SERVER IS PART OF THE FARM. THE NETWORK SERVER HAS ALREADY BEEN ADDED. COULD NOT ENUMERATE THE USER ACCOUNTS IN THIS DOMAIN. THERE MIGHT BE COMMUNICATION PROBLEMS ON THE NETWORK. COULD NOT COLLECT REQUIRED USER ACCOUNT INFORMATION FOR SOME OR ALL OF THE ACCOUNTS FROM THIS DOMAIN. THESE USERS WILL NOT BE ADDED TO CONFIGURED ACCOUNTS LIST. THE DOMAIN CONTROLLER FOR THIS DOMAIN IS NOT AVAILABLE.
ERROR COMES FROM PRINTERMGR PRINTERMGR
3222503429 3222503430 3222503431 3222503432 3222503433 3222503434 3222503440 3222503442 3222503443 3222503444 3222503445 3222503446 3222798336/ VARIOUS
C0138005 C0138006 C0138007 C0138008 C0138009 C013800A C0138010 C0138012 C0138013 C0138014 C0138015 C0138016 C0180000/ VARIOUS
PRINTERMGR PRINTERMGR PRINTERMGR PRINTERMGR PRINTERMGR PRINTERMGR PRINTERMGR PRINTERMGR PRINTERMGR PRINTERMGR PRINTERMGR PRINTERMGR USERENUMERA TION
3222798337
C0180001
USERENUMERA TION
3222798338
C0180002
USERENUMERA TION
334
ERROR CODE (HEX) ERROR MESSAGE C0180003 ONE OR MORE SERVERS SELECTED TO HOST THIS APPLICATION HAVE FAILED TO COMPLETE THE INITIAL STARTUP SEQUENCE. THE SERVER(S) WILL NOT BE AVAILABLE FOR PUBLISHING APPLICATIONS UNTIL THE IMA SERVICE IS RESTARTED. THE ACCOUNTS TRUSTED BY THE SELECTED SERVERS COULD NOT BE DETERMINED. COULD NOT ENUMERATE DOMAINS. COULD NOT ATTACH LOAD EVALUATOR TO THIS SERVER. COULD NOT CREATE A NEW LOAD EVALUATOR. COULD NOT DELETE THE LOAD EVALUATOR. COULD NOT GET THE LIST OF SERVERS ATTACHED TO THE APPLICATION. COULD NOT MODIFY THE LOAD EVALUATOR. THE PRESENTATION SERVER CONSOLE FAILED TO REMOVE THE SERVER. INSTALLATION MANAGER NETWORK BROWSER FAILED. INSTALLER FAILED (USUALLY ADF INSTALLER SINCE MSI HAS ITS OWN ERROR CODES). LOGON TO THE NETWORK SHARE ACCOUNT FAILED. NO NETWORK SHARE POINT ACCOUNT IS SPECIFIED.
ERROR COMES FROM USERENUMERA TION
3222798340
C0180004
USERENUMERA TION USERENUMERA TION LMSADMIN LMSADMIN LMSADMIN LMSADMIN
3222798341 VARIOUS VARIOUS VARIOUS VARIOUS
C0180005 VARIOUS VARIOUS VARIOUS VARIOUS
VARIOUS VARIOUS
VARIOUS VARIOUS
LMSADMIN ADMINUSERMG R IMSMGR IMSMGR
80240008 80240002
80240003 80240001
IMSMGR IMSMGR
335
ERROR CODE (DECIMAL)
ERROR CODE (HEX) ERROR MESSAGE 80240005 80240004 80240006 PACKAGE IS IN USE AND CANNOT BE MODIFIED. PACKAGE WITH THE SAME NAME ALREADY EXISTS. THE OPERATION IS NOT ALLOWED, FOR EXAMPLE, A JOB CANNOT BE MODIFIED AFTER IT IS STARTED. THE PACKAGE FILE PROVIDED (WHEN ADDING A PACKAGE TO THE DATA STORE) IS NOT A VALID (MSI OR ADF) PACKAGE.
ERROR COMES FROM IMSMGR IMSMGR IMSMGR
80240007
IMSMGR
336
Resource Manager Billing Error Codes

Error Code (hex) 803a001 Error Message The summary database version information could not be found in the database. Billing reports will not be available. Cause/Solution Returned if the summary database table SCHEMAVERSION either contains no rows or there is no table (that is, the database connection server is pointing to a database that is not the summary database). Returned if the Billing subsystem cannot enumerate a domain or local group in a cost center. This could fail because of not being able to contact a domain controller or insufficient permissions for local groups. More detailed information is written to the database connection server log file. Each time a report is generated, it is assigned a unique ID by the Billing subsystem. This error message is displayed if this matches any ID already assigned to a report. The chances of this occurring are minimal. The billing subsystem limits the amount of report data to be retrieved by the database connection server to 60,000 lines. This error message is be returned if the user is trying to generate a report that exceeds this limit. It is designed to prevent the IMA Service from consuming excessive memory. To work around the problem, narrow the reporting conditions or reduce the detail of the report. Returned if the Billing subsystem cannot connect to the summary database. Either the database connection server configuration is incorrect or it cannot contact the database connection server. More detailed information is written to the database connection server log file.
803a002
An error occurred while trying to enumerate user accounts in domain group, contained within a cost center. The billing report cannot be generated.
803a004
An error occurred while generating the report.
803a005
803a0013
An error occurred when trying to connect to the summary database.
337
Error Code (hex) 803a0014
Error Message An error occurred when executing a database query.
Cause/Solution Returned if any of the Billing stored procedures fail. More detailed information is returned to the database connection server log file. A possible cause could be a corrupt summary database schema. Returned if the database connection server cannot close the connection to the summary database after generating a billing report. More detailed information is written to the database connection server log file. Returned if the schema is correct but the version in the summary database does not match that held in the subsystem. When upgrading a farm, the schema version is updated. However, users might see this problem if they are connecting an old farm (that is, Feature Release 1) to a new summary database (that is, Feature Release 3). Returned if the user is attempting to use a database that is not supported for the summary database (that is DB2). Not an error message, more just a warning telling users that they are attempting to generate a billing report without selecting any of the configured fee profiles. Cause is as stated in message.
803a0015
803a0017
The version of the summary database is not compatible with this version of Resource Manager. Billing reports will not be available.
803a0018
The summary database DBMS type is not supported by Resource Manager. Billing reports will not be available. The fees that are used to calculate the costs in this billing report have not been configured. Do you want to continue with the generation of the report? The fees that will be used to calculate the costs in this Billing report were entered from a Presentation Server Console running in a different country. No currency conversion is performed. This may result in incorrect costs being calculated. Do you want to continue with the generation of the report? An error occurred while generating the report.
803a0019
803a0020
803a0021
Returned if the reports subsystem returned corrupted data to the billing subsystem to be displayed.
338
Error Code (hex) 803a0022
Error Message An error occurred retrieving the DBMS user credentials from the database connection server. Billing reports will not be available. The Billing HTML template file could not be found.
Cause/Solution Returned if the database connection server cannot provide the DSN connection details to the billing subsystem through the summary database subsystem. Returned if there is no template with which to create the billing report.
803f0001
APPENDIX D
Registered Citrix Ports
The following table contains the default registered Citrix ports.

Name ica ica ica ica icabrowser icabrowser icabrowser citrixima citrixima citrixadmin citrixadmin citriximaclient citriximaclient citrix-rtmp citrix-rtmp Citrix Systems Number 1494 1494 0x85BB 0x9010 1604 1604 0x85BA 2512 2512 2513 2513 2598 2598 2897 2897 3845 Protocol TCP UDP IPX SPX TCP UDP IPX TCP UDP TCP UDP TCP UDP TCP UDP MIB Description ICA <not used> ICA ICA <not used> ICA Browser ICA Browser IMA (server to server) <not used> IMA (Presentation Server Console to server) <not used> Common Gateway Protocol (Session Reliability) <not used> rtmp (Control) Video Frame rtmp (Streaming Data) Video Frame Private Enterprise Number. Used for SNMP MIB Object ID and Active Directory Schema Object Ids (OID).
Note: The Default Citrix License Server port is 27000.
Index
341
Index
A
Active Directory and Windows policies 168 deploying clients with 80 deploying Program Nieghborhood Agent with 80 deploying Program Nieghborhood with 80 deploying with 68 forest trusts 223 administrative share point deploying from 70 administrator accounts configuring 185 aliases creating, in Novell Directory Services 250 application folders 90 apputil command 60, 151 Audio Recording feature 169 used with Program Neighborhood 170 used with Program Neighborhood Agent 170 Auto-End Tasks feature 159 auto-replication of printer drivers 256 configuring administrator accounts 185 client and server proxy settings 199 data collectors 26 data refresh 89 default gateway 49 IIS server 191 operating system 17 routing table 48 SNMP service 186 ZENworks container packages 239 content publishing with the Web Interface 131 content redirection 130 from client to server 131 with the Web Interface 131 cycle booting servers 96
D
data collectors configuring 26 election of 35 estimating traffic to 27 formula for interzone connections 25 data store cluster failover support 44 communication with ODBC 189 dsmaint command 187, 214, 273, 305 hardware components 43 implementing in a SAN 4246 object sizes in 16 objects 37 optimizing network connections to 3941 replicating 257 replication, troubleshooting 268 securing 187 troubleshooting connections 214 using IBM DB2 189 using Microsoft Access 187 using Microsoft SQL Server 188 using MSDE 188 using Oracle 188 delegated administration 91
B
blades servers 60
C
CAB client packages 76 changing farm membership of servers 94 chfarm command 94, 215 Citrix IMA Service 32, 62, 96 error codes 297 logging 213 memory consumption by 18 troubleshooting 211 Citrix XML Service 181, 324 cluster failover support 44 Computer Associates Unicenter deploying with 69
342

ICA files and single sign-on 248 configuring SpeedScreen Browser Acceleration 138 file extension 80 parameters 138 sample Template.ica file 135 IMAPing 33 imaport command 189 Installation Checklist 58 Installation Manager Application Publishing Wizard 151 debug files 229 deploying Windows Installer packages 66, 150 deployment server 99 group size considerations 98 job scheduling 101 package server 99 Packager 102 Internet Information Services configuring for smart card support 202
denial of service attacks securing against 190 deploying MetaFrame Presentation Server blades servers 60 from an administrative share point 70 rapidly, with Oracle 64 with Active Directory 68 with Computer Associates Unicenter 69 with Installation Manager 66 with Microsoft Access 63 with Oracle Real Application Clusters 71 deployment server 99 DNS round robin and load balancing 55 servers and client connections 53 document center 10 driveremap command 58 dsmaint command 187, 214, 273, 305 dynamic client name 76
E
error codes Citrix IMA Service 297
J
job scheduling in server farms 101
F
failed installations troubleshooting 214 Fibre Channel 42 file type association 226 force reinstall 150 forest trusts 223
L
load balancing 41, 55, 180 tuning load bias 162 load management 90 Load Manager 16, 307, 310 local host cache change events 36 logging Citrix IMA Service 213
H
hardware components of data store 43 hardware configuration recommendations 13 Hyper-Threading 19, 21
M
management consoles installing 87 MetaFrame Access Suite Console 87 Presentation Server Console 87 MetaFrame Access Suite Console 87 and pass-through authentication 91 installing 88 Report Center 92 using 9193 MetaFrame administrators configuring user accounts for 185 privileges, assigning to NDS objects 242
I
IBM DB2 and ODBC tracing 228 as data store host 189 security considerations 189
Index
MetaFrameCOM (MFCOM) 146 Microsoft Access and rapid deployment 63 as data store host 187 security considerations 187 Microsoft SQL Server and ODBC tracing 228 cluster failover support with 44 replication troubleshooting 219 security considerations 188 MSDE as data store host 188 security considerations 188 multihoming servers 47 with 44 Real Application Clusters, deploying with 71 security considerations 188
343
P
package server 99 pass-through authentication and Novell Directory Services 243, 247 and Program Neighborhood 75 and Program Neighborhood Agent 75 and the MetaFrame Access Suite Console 91 disabling 193 disabling in Program Neighborhood 193 disabling in Program Neighborhood Agent 194 Pre-installation update bulletin 57 Presentation Server Client and DNS servers 53 CAB packages 76 deploying, with Active Directory 80 dynamic name feature 76 installation, silent 73 NDS usage 247 Novell Directory Services usage with 247 proxy configuration 199 securing communication 192 Presentation Server Console 87, 190 and data store objects 37 Application Publishing Wizard 151 error codes 312 installing 87 logging on with NDS credentials 243 securing 190 security 190 using 8991 printer drivers 254256 auto replication 256 automatic installation 251 driver replication and server performance 255 managing the replication queue 254 replication 254 replication and performance issues 255
N
network interface cards multihoming 47 teaming 39 Network Manager 109110 Novell Directory Services accessing 232 client, installing 234 configuring ZENworks container packages 239 creating aliases 250 enabling usage in the Web Interface 245 farm layout 232 organizing published applications 250 system requirements 232 troubleshooting 216 usage with Presentation Server Client 247 NTFS partitions 17, 186
O
ODBC and data store communication 189 connection failure, troubleshooting 213 tracing, with IBM DB2 228 tracing, with Microsoft SQL Server 228 tracing, with Oracle 228 operating system configuration recommendations 17 service packs and updates 17 Oracle and ODBC tracing 228 and rapid deployment 64 as data store host 188 Real Application Clusters, cluster failover support
344
Program Neighborhood Agent deploying, with Active Directory 80 and client enumeration 53 and pass-through authentication 75 and the Audio Recording feature 170 and Windows Installer packages 73 deploying, with Active Directory 80 disabling pass-through authentication 193 proxy connections 198 using with a proxy server 198 virtual channel 174 Program Neighborhood Agent and pass-through authentication 75 and smart cards 202 and the Audio Recording feature 170 and Windows Installer packages 73 Config.xml file 55 disabling pass-through authentication 194 proxy settings of client and server 199 published applications for NDS users 243 organizing for Novell Directory Services users 250 troubleshooting 226
S
secure client communication 192 security client and server proxy settings 199 denial of service attacks 190 enabling smart card authentication 204 enabling SSL 204 encryption 192 Internet Explorer settings 224 Presentation Server Console 190 proxy connections 198 secure client communication 192 secure proxy/SOCKS connections 194 Web Console 191 Web Interface 192 server cloning 61, 65 server farms changing farm membership of servers 94 cycle booting servers 96 farm layout 232 group size considerations 98 job scheduling 101 system requirements 232 uninstalling servers in indirect mode 96 updating file type associations 226 server folders 90 server redundancy 14 simultaneous installations 65 smart cards 200206 enabling authentication 204 user certificates 201 using with the Web Interface 202 SNMP service configuring 186 SpeedScreen Browser Acceleration feature 136141 SpeedScreen Multimedia Acceleration feature 142145 SQL Server as data store host 188 storage area network implementing data store in 4246 stored procedures 258 summary database 104 system information obtaining 227
Q
quality of service solutions 178
R
RAID arrays employing 13 re-imaging a server 62 remapping server drives 58 renaming servers 94 Report Center 92 Resource Manager 103 billing error codes 336 database connection server 106 Farm Metric server 103 summary database 104 troubleshooting 220 using to determine user capacity of a server 23 zone elections counter 221
Index
345
T
troubleshooting Citrix IMA Service 211 data store replication 268 Microsoft SQL Server replication 219 Novell Directory Services 216 ODBC connection failure 213 Resource Manager 220 ZENworks 216
U
uninstalling servers in indirect mode 96 USB redirection 225 user accounts for MetaFrame administrators 185 user profiles 168 user-to-user shadowing 97 utilities DSVIEW 278 LMNEWLOG 291 LMSWITCH 292 MSGHOOK 279 QPRINTER 280 QUERYDC 282 QUERYDS 284 QUERYHR 287 SCCONFIG 289
V
virtual channels 174 drivers used 177
Web Interface and content publishing 131 and content redirection 131 and load balancing 180 and smart cards 202 deploying the Java client with 209 enabling Novell Directory Services usage in 245 enabling smart card authentication 204 enabling SSL 204 generating ICA files 54 NDS usage 245 securing 192 securing communication 192 Windows Directory Mapper Service enabling 202 Windows Event Log 161 Windows Installer and client deployment 80 and configuring default contexts for NDS users 248 and deployment from an administrative share point 70 and deployment with Computer Associates Unicenter 69 and deployment with Installation Manager 66 and Program Neighborhood 73 and Program Neighborhood Agent 73 and uninstalling servers 96 logging 68 packages, deploying with Installation Manager 150 Windows policies and Active Directory 168 wireless LANs using Citrix products in 207 WMI Provider 111
W
Web Console installing 88 security 191
Z
ZENworks configuring container packages 239 configuring container packages in 239 configuring user packages in 240 troubleshooting 216 zones configuring data collectors in 26 elections counter in Resource Manager 221 function of 25

MPS 3 Advanced Concepts

Transféré par

Informations du document

Description originale:

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

MPS 3 Advanced Concepts

Transféré par

Droits d'auteur :

Formats disponibles

Advanced Concepts Guide MetaFrame Presentation Server for Windows Version 3.

MetaFrame Presentation Server 3.0 for Windows MetaFrame Access Suite

Planning Your Deployment

Facilitating Server Farm Communication

Deploying MetaFrame Presentation Server

Managing Server Farms

Advanced Concepts Guide

Deploying, Publishing, and Configuring Applications

Optimizing MetaFrame Presentation Server Performance

Security Issues and Guidelines

Using MetaFrame Presentation Server with Novell Directory Services

Creating and Replicating Printers

Replicating Data Stores Running Microsoft SQL Server

Advanced Concepts Guide

Registered Citrix Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

Advanced Concepts Guide

Getting More Information and Help

Accessing Product Documentation

Advanced Concepts Guide

Accessing the Document Center

Getting Service and Support

Advanced Concepts Guide

Customizing MetaFrame Presentation Server

Education and Training

Master page: First Cn-ChapterNumber

Planning Your Deployment

Header (on master page) 14 Advanced Concepts Guide

Data Store Hardware Guidelines

(on master page) Header Chapter 2 Planning Your Deployment

Objects in the Data Store

Advanced Concepts Guide

The Size of Data Store Objects

Chapter 2 Planning Your Deployment

Operating System Configuration

Service Packs and Updates

Advanced Concepts Guide

Changing the Maximum Buffer Size

Chapter 2 Planning Your Deployment

Planning User Capacity

Benchmarking Client Sessions

Advanced Concepts Guide

Chapter 2 Planning Your Deployment

Hyper-Threading and User Capacity

Client Hardware Configuration

Advanced Concepts Guide

Configuration Hyper-Threading Disabled Hyper-Threading Enabled

Number of Simulated Users 123 +/- 1.5 177 +/- 1.5

Chapter 2 Planning Your Deployment

Using Resource Manager to Determine User Capacity

Master page: First

Facilitating Server Farm Communication

Understanding Zones and Data Collector Communication

Header (on master page) 26 Advanced Concepts Guide

Configuring Data Collectors in Large Zones

(on master page) Header Chapter 3 Facilitating Server Farm Communication

Approximating Traffic Generated by Updates to the Data Collector

Advanced Concepts Guide

Limiting Data Collector Communication

Chapter 3 Facilitating Server Farm Communication

Traffic for Session-Based Events

MetaFrame Presentation Server 3.0

MetaFrame XPe / Feature Release 3

MetaFrame XPe / Feature Release 2