Application publishing refers to the installation and configuration of applications on a multiuser server (or server farm), so they can be accessed readily by users. MetaFrame enhances the basic application publishing capabilities of TSE by providing a Published Application Manager to facilitate the process of fielding an application.
The objective of the Published Application Manager is not only to ease the burden of administrators, but also to shield users from the complexities of setting up applications for use on their clients. When an application is published using the Published Application Manager utility, user access is simplified in three ways:
Application addressing Instead of connecting to a MetaFrame server by its IP address or server name, users can connect to a specific application by whatever name has been assigned to the application itself. Connecting to applications by name eliminates the need for users to remember which servers contain which applications.
Application navigation With applications published under MetaFrame, the user does not need to possess knowledge of the Windows NT 4.0, Windows 2000, or Windows Server 2003 desktop (Windows NT Explorer or Program Manager) to find and start applications after connecting to MetaFrame servers. Instead, published applications present the user with the desired application in an ICA session.
User authentication Instead of logging on and logging off multiple MetaFrame servers to access applications, Program Neighborhood allows users to authenticate themselves a single time to all servers and obtain immediate access to all applications configured for their user group or specific username. Also, publishing applications for the special Anonymous user group allows user authentication processes to be eliminated completely. This can be a useful time-saver when publishing applications for general use by all users on the network.
User Accounts
MetaFrame application publishing provides ICA session access to two types of user accounts: anonymous and explicit. Before publishing an application, it is important to first consider who the users will be, what they will be doing when they run the application, and where they will be connecting from. This will define whether the users should be anonymous or explicitly defined (named users with full authentication).
The total number of users, whether anonymous or explicit, who can be logged on to the MetaFrame server at the same time is contingent upon an organization's licensed user count and on server and bandwidth limitations. These limitations need to be clearly understood before proceeding with application publishing (Chapter 11 discusses server and farm sizing in detail).
Anonymous User Accounts
During MetaFrame installation, the Setup program creates a special user group called "Anonymous." By default, this local Windows 2003 account contains 15 user accounts with account usernames in the format Anon000 through Anon015. Anonymous users are afforded guest permissions by default.
Note Anonymous user accounts are local user accounts (non-domain), and although there are 15 of them created by default, additional ones will be created on the fly by the server to ensure that each Anon connection remains unique. If Anon connections are not going to be used, it is recommended that the accounts be disabled (but not necessarily deleted, due to possible future use) for security reasons.
If an application that is to be published on the MetaFrame server is intended to be accessed by guest-level users, the application can be configured using the Published Application Manager to allow access by anonymous users. When a user starts an anonymous application, the MetaFrame server does not require an explicit username and password to log the user on to the server, but selects a user from a pool of anonymous users who are not currently logged on. Anonymous user accounts are granted minimal ICA session permissions, including
Ten-minute idle (no user activity) time-out.
Automatic End Session on broken connection or time-out.
No password requirement.
Password cannot be changed by user.
Anonymous user accounts do not have a persistent identity. That is to say, no user information is retained when an anonymous user session ends. Any desktop settings, user-specific files, or other resources created or configured by the user are discarded at the end of the ICA session. Because of the inherent permission limitations of anonymous user accounts, the 15 anonymous user accounts created during MetaFrame installation usually do not require any further maintenance.
Explicit User Accounts
Explicit users, which are created and maintained via the Active Directory User Manager, have a "permanent" existence. Their desktop settings, security settings, and so on, are retained between sessions for each user in a user profile.
Explicit users can be of any user class and are generally created for a specific purpose. Their access permissions may be changed by using the Active Directory User Manager.
Identifying what groups of users will have access to an application that is about to be published will aid in server and link resource planning and may even expedite the publishing process. Administrators can capitalize on group settings and extend application access to multiple users concurrently. Conversely, using the Anonymous group is a handy way to make general-purpose applications available to the broadest possible user community in the least amount of time.
MetaFrame Password Manager
Citrix MetaFrame Password Manager (CMPM) is a single sign-on solution designed specifically for MetaFrame XP and MetaFrame Secure Access Manager. CMPM provides password security and single sign-on access to Windows, web, proprietary, and host-based applications running in the MetaFrame Access Suite environment. Users authenticate once with a single password, and MetaFrame Password Manager does the rest, automatically logging in to any password-protected information system, enforcing password policies, monitoring all password-related events, and automating end-user tasks, including password changes.
CMPM is comprised of three components:
A Directory Service to centrally store the password and user information. Three choices are available: File Sync (comes native with CMPM), Microsoft Active Directory, and LDAP, which consists of Sun ONE Identity Server and Novell eDirectory.
The MetaFrame Presentation Server Agent—a 32-bit agent that runs on MetaFrame servers or on a local client workstation
MetaFrame Password Manager Console
Once a user has logged in and authenticated to a directory service, the agent intercepts any future password requests with a query, asking if the user would like the password manager to manage this password. If the user answers yes, then the password information is stored in the central directory service store and handed back to the client workstation when the workstation queries for that password again.
MetaFrame Password Manager enhances security by centralizing security policies, providing an encrypted file for each user's credentials, and allowing IT administrators to automatically generate passwords that are more difficult to crack and to change them more frequently, if needed.
CMPM can either be purchased with the Access Suite Bundle or individually.
Application Publishing Security
In addition to considering the user population for an application, administrators also need to consider the security requirements of the applications they are planning to publish. MetaFrame XP provides additional methods, beyond those of Microsoft operating systems, for securing access to applications published on the MetaFrame server.
Limiting Users to Published Applications
Users of a specific connection type (dial-up, for example) can be restricted to running published applications only. By allowing users to solely access predefined applications, unauthorized users are prevented from obtaining access to the Windows desktop or a command prompt as their initial application unless published by an administrator. This type of security may be obtained by using the Advanced Connection Settings dialog box in the Connection Configuration utility.
It is important to note however that many applications and utilities have major security holes (for example, some applications permit a user to launch other applications [explorer.exe or cmd.exe] from within them). Thus a significant amount of time must be spent putting in place policies, profiles, and registry changes to more securely lock down the operating system and applications. Enterprise environments should consider a lockdown application (two popular lockdown application companies that are certified to work in an SBC environment are triCerat RES and AppSense, covered in more depth in Chapters 11, 13 and 15) to specifically automate the lockdown tasks.
Limiting Applications
The Citrix Management Console allows an administrator to restrict an application to specified users or groups of users, assuming they have been given explicit user access.
Firewall Security and Limited Access from Non-Authorized External Users
With security at the forefront of most enterprise activities, the Internet firewall has become non-optional for every enterprise to protect their resources from non-authorized Internet intrusion. But, since the Internet is such a necessary access method for many users, the firewall often poses a very difficult trade-off—full security versus easy access. MetaFrame Secure Gateway solves this trade-off by providing both easy access and industry recognized security. MetaFrame Secure Gateway is covered in much more depth later in this chapter, as well as in Chapter 16.
Usernames and Passwords
As long as explicit user accounts are specified, MetaFrame XP supports a large number of authentication approaches. For starters, strong password authentication is essential for security (see Chapter 8 for a more detailed password discussion). Even better, consider a second factor authentication approach (using not only something a user knows, but a second authentication method such as something unique that only a specific user has), such as a smart card, token, or biometric). MetaFrame XP FR-3 is fully integrated with RSA and Secure Computing's second factor authentication, as well as a large variety of authentication tools (biometric, smart card, and so on) that integrate with RSA and Secure Computing's authentication software. Additionally, companies like Secure Computing provide a method to integrate the second factor authentication with MetaFrame Web Integration access, Program Neighborhood access, and Windows 2000 Active Directory access, to make authentication seamless to the user community. See Chapter 8 for more detail and discussion on security.
ACLcheck Utility
An ACLcheck utility supplied with MetaFrame examines the security ACLs associated with MetaFrame XP files and directories. This utility can be used to report on any potential security breaches.
Application Execution Shell
The Application Execution Shell (App) in MetaFrame allows administrators to write application execution scripts that perform actions before and after application execution. These scripts can be used in connection with other security utilities to check the security of MetaFrame servers and clients.
MetaFrame as a Web Application Access Center
In these days of electronic business and the Internet, companies are also porting applications to intranets, extranets, and to the Internet, where they can be used by business partners and even consumers. MetaFrame XP facilitates this objective with MetaFrame Web Interface, Web Interface Extensions, and MetaFrame Secure Access Manager. One thing common to all versions of Web Interface is the ability to use pass- through or single sign-on for multiple applications.
MetaFrame Secure Gateway
In our view, one of the most significant new features developed by Citrix in the past three years is MetaFrame Secure Gateway, which is included in all editions of MetaFrame XP. Although Citrix has long provided access via the Internet, enterprise organizations often struggled with providing Internet access to SBC environments due to security concerns. Although both Citrix's ICA and Microsoft's RDP support 128-bit encryption, both protocols also require that firewall ports be opened, at both the client and data-center sides of the Internet. This firewall change creates both logistical and security challenges for companies, especially in instances where the far-side firewall may not be influenced. One example of this is when a company's employees are housed on other company's campuses (either temporarily or for the duration of a longer project), and, as such, often cannot affect the firewall rules at their location.
Secure Gateway solves this problem by converting ICA traffic from port 1494 to port 443 (SSL) in the data-center DMZ. Since SSL is a widely supported standard and utilized for many other web purposes, it provides a very standard and accepted transmission method for traffic traversing firewalls and the Internet. Secure Gateway requires several additional server hardware components. See Figure 3-4 for a diagram of a Secure Gateway implementation.
Figure 3-4: MetaFrame Secure Gateway example deployment
Web Interface for MetaFrame
MetaFrame XP includes MetaFrame Web Interface for (formerly NFuse Classic) with the XPs and XPa editions. This product enables users to integrate applications and data that are published into customized web portals for the end user, who then can access applications via a web browser.
In addition to publishing applications to the familiar web browser interface, another popular use of MetaFrame Web Interface for is to deploy the ICA client itself. MetaFrame Web Interface provides for automatic download and updates of the ICA client, largely transparent to the user, upon user login. This provides a very fast and clean deployment and update mechanism for first-time Citrix users and remote users.
Using MetaFrame Web Interface, the presentation layer elements of multiple applications can be combined on a single page for exposure to the end user as a single, unified application. A simple wizard is provided to aid the administrator in defining the portal contents, which may include applications hosted on MetaFrame XP and MetaFrame for UNIX servers. Support for MetaFrame for UNIX enables the Web Interface for MetaFrame portal to be used to integrate both Windows and UNIX-based applications and data.
Web Interface for MetaFrame access centers can be customized to meet the needs of individual users, who access their applications in accordance with a user or group account login, or general, purpose access centers that can be fielded for access by anonymous users. Either way, the access centers, like other MetaFrame applications, are managed via the same set of MetaFrame utilities used to manage and control other applications published through MetaFrame.
MetaFrame Web Interface Extensions
MetaFrame Web Interface Extension (formerly Citrix Enterprise Services for NFuse (ESN)) is included with XPe and performs the same tasks as Web Interface for MetaFrame XP with the additional feature of multiple farm aggregation.
Web Interface Extension for MetaFrame XP enables highly scaled application provisioning from MetaFrame by aggregating application sets from multiple farms. When combined with MetaFrame Secure Gateway, it provides a simple, secure, single point to access business-critical applications.
MetaFrame Web Interface Extension provides the following solutions:
Multiple farms operating in the enterprise can be used more efficiently and managed more easily.
Administrators don't have to rely on web programming skills to control the operation of Web Interface for MetaFrame XP.
Users only have to provide credentials once, not for each application accessed via MetaFrame XP.
Administrators and users can set values for each MetaFrame XP application instead of being restricted to single global values for all users and all applications.
MetaFrame Secure Access Manager
MetaFrame Secure Access Manager (MSAM) is a stand-alone application that, while able to enhance MetaFrame, does not require MetaFrame. MSAM is a member of the MetaFrame Access Suite, and can be purchased individually or bundled with the suite. It is not included with MetaFrame XP. MSAM is a full-blown Access Solution, comparable to portal products like Microsoft SharePoint Portal Server or Plumtree Corporate Portal. MSAM differs from MetaFrame Web Interface in that it is designed to be a common interface for the aggregation of many different types of corporate data and applications rather than just thin deployment of Windows and UNIX applications. MSAM differentiates itself from Portal products by providing a wizard-based tool with content delivery agents (CDAs) that automate such tasks as placing MetaFrame ICA icons within the web access page, or grabbing Microsoft Exchange content and placing it within the web page.
MSAM can quickly, and through a wizard-based tool, create a single, secured web interface that has a portion of the window showing a message from the president of the company, another portion of the window showing the number of customers in a call queue for support, another portion of the window that is a customer information lookup for pertinent data, a portion of the window showing applications available (both ICA and web based), and a final tag across the top that shows the corporate stock price. All of these sections are dynamically controlled based on the role of the user. Figure 3-5 shows a screenshot of a simple MSAM portal page.
Shadowing
In addition to providing tools for managing application publishing, MetaFrame delivers a utility targeted at reducing administrative costs by enabling the remote support of users of published applications. Session Shadowing enables the administrator (or help-desk personnel) to remotely join, or take control, of another user's ICA session. When activated, Session Shadowing displays the user's screen on the administrator's console. Optionally, the administrator can assume control of the remote user's mouse and keyboard, which enables demonstrations.
In addition to facilitating help desk and troubleshooting processes, Session Shadowing can also be used in online interactive teaching and call-center applications.
Additional security has been added to MetaFrame XP to limit or disable shadowing during installation that cannot be reversed. Administrators can disable shadowing of ICA sessions on all servers in a server farm if legal privacy requirements prohibit the shadowing of users' sessions. Alternatively, it may be necessary to disable shadowing on servers that host sensitive applications, such as personnel or payroll applications, in order to protect confidential data. MetaFrame XP Setup provides options on the Shadowing Setup page for an administrator to limit or disable shadowing at installation time. When shadowing is enabled, an administrator has the option to select the following restrictions:
Prohibit remote control of ICA sessions. By default, MetaFrame XP gives administrators the ability to input keystroke and mouse control during session shadowing. Select this option if you want administrators to be able to shadow without input. In some cases, shadowing without input hides administrator presence.
Prohibit shadow connections without notification. By default, MetaFrame XP notifies users with a prompt when an administrator is attempting to shadow their sessions. Select this option to deny administrators the ability to shadow sessions without sending this notification.
Prohibit shadow connections without logging. Events such as shadowing attempts, successes, and failures can be logged in the Windows event log and examined using Event Viewer. Select this option to enable logging.
Do not allow shadowing of ICA sessions on this server. This option permanently disables shadowing by anyone of all ICA sessions on the server.
Configuring Session Shadowing
Session Shadowing is configured at the time of connection configuration. The shadowing settings in the Advanced Connection Settings dialog box control the behavior of shadowing for all sessions on the connection. Setting options include
Enabled Specifies that sessions on the connection can be shadowed.
Disabled Specifies that sessions on the connection cannot be shadowed.
Input On Allows the shadower to input keyboard and mouse actions to the shadowed session.
Notify On Specifies that the shadowed user gets a message asking if it is OK for the shadowing to occur.
Session Shadowing Initiation
The initiation of Session Shadowing can be accomplished via the Shadow taskbar, the Citrix Management Console, or from a command line. Each interface is well documented and reasonably self-explanatory.
Citrix MetaFrame Conferencing Manager
Citrix MetaFrame Conferencing Manager adds intuitive application conferencing to MetaFrame XP. This application is a new member of the MetaFrame Access Suite and can be purchased as an individual package or bundled with the Suite. Conferencing Manager integrates three components: a Microsoft Exchange/Outlook calendar form; a new Conferencing Manager interface that initiates, cancels, and manages the users and applications of the conferences; and MetaFrame XP's session shadowing features. These three components create an intuitive interface by which users create and join a collaborative conference session among multiple people. Because shadowing cannot occur across multiple MetaFrame XP servers, each conference is limited to the number of sessions that one server can support (typically about 100 people on a four-processor MetaFrame XP server running Microsoft PowerPoint).
Conferencing Manager eliminates the geographical distance between team members, increases the productivity of meetings, and allows easy collaboration. Teams can utilize Conferencing Manager to share application sessions, work together on document editing, and conduct online training, regardless of the location of individual team members or the access devices or network connections they're using.
MetaFrame Licensing
The MetaFrame license is more than an agreement describing the cost to the user and revenue to the vendor. It is a technical licensing implementation in which licenses are pooled by the MetaFrame servers themselves and used to calculate authorized use of the product (see Tables 3-3 and 3-4). In short, if the license provides for 20 users to connect to a MetaFrame server, user number 21 will be locked out by the server.
Table 3-3: List Pricing (New Customer) Connection Licenses
With Subscription Advantage
Without Subscription Advantage
MetaFrame XPs
$290
$250
MetaFrame XPa
$345
$300
MetaFrame Xpe
$400
$350
Table 3-4: List Pricing (Upgrades) Connection Licenses
Upgrading From
Upgrading To
With Subscription Advantage
Without Subscription Advantage
MetaFrame XPs
MetaFrame XPa
$100
$55
MetaFrame XPa
MetaFrame XPe
$105
$55
MetaFrame XPs
MetaFrame XPe
$160
$110
Citrix delivers MetaFrame licenses in three ways: the shrink wrap method, corporate licensing, and ASP licensing.
The Shrink-Wrap Method
Administrators can purchase the base product and licenses for 20 concurrent users.
As configurations expand, bulk user packs can be purchased to meet changing needs. Additional MetaFrame XP user licenses can be added in increments of 5, 10, 20, or 50 concurrent users.
Easy Licensing
Easy Licensing is designed for customers with up to 500 concurrent licenses that wish to take advantage of electronic licensing. On-demand licensing allows administrators to purchase what is needed when it is needed. This licensing also allows for auto activation for rapid deployment. Another advantage to Easy Licensing is that it does not have a complex paper contract, but rather uses a "click to accept" online agreement (similar to opening packaged products).
Corporate Licensing
Corporate licensing programs are available for large license quantities. This program uses a point-based system with four discount levels for corporations and a special education discount level. In addition, special pricing is available for corporate customers who adopt a "long-term strategic use" posture. In this case, cumulative purchases drive discounts. This program is designed for customers with 500 to 5000 concurrent seats.
Flex Licensing
Flex licensing is designed for companies with more than 5000 concurrent seats. Flex Licensing requires a custom contract, called a Global 2000 agreement, reserved for enterprise customers. The advantage of Flex licensing, in addition to a very significant discount, is that Citrix provides additional license automation to make it easier to install and activate MetaFrame licensing across a large quantity of servers.
Subscription Advantage
Subscription Advantage provides customers with a convenient way to keep their Citrix software current and maximize their server-based computing investments. Customers receive software upgrades, enhancements, and maintenance releases that become available during the term of your subscription. Subscription Advantage is for a one-year term and can be renewed each year.
MetaFrame Presentation Center for Unix
Although this book is primarily focused on MetaFrame XP for Windows 2003, UNIX-based applications continue to be a mainstay of many large enterprise environments, and Windows and UNIX users alike can benefit from seamless, single point, webified access to these applications. Because of the overall value of server-based computing in providing web-based seamless access to all applications from any device, for all users, the authors felt strongly that MetaFrame for UNIX should be covered in this book. A large majority of the features and infrastructure discussed in these pages will apply equally to MetaFrame Presentation Server for UNIX and MetaFrame XP for Windows 2003. Features and tools such as MetaFrame Web Interface, MetaFrame Secure Gateway, load management, and any-device access are further promoted by bringing the UNIX applications to the Citrix SBC infrastructure fold.
Although some long-time UNIX administrators argue that UNIX has supported multiuser functionality for years through X-Window, and thus MetaFrame for UNIX is not needed, they are missing out. Due to the feature-rich GUI environments of most UNIX desktops and applications, X-Windows (even compressed X) is very network-intensive. Because of this nature, costly WAN topologies need to be implemented, and low bandwidth connections are almost non-supportable due to performance issues. Additionally, X-Windows does not support such MetaFrame features as shadowing, copy and paste of both text and graphics between the local client and remote server environments, autocreation of local printers and client drive mapping, and most importantly, Web Interface integration with Windows and web applications.
Based in part on the success and popularity of MetaFrame XP in the Windows application hosting environment, Citrix recently announced the latest version of the MetaFrame product suite aimed at the hosting of UNIX, X-Window, and Java applications: MetaFrame for UNIX Version 1.2. The product, which at present supports IBM AIX, Sun Solaris, and HP-UX platforms, as well as virtually any custom or commercially packaged UNIX applications, offers the same value as MetaFrame XP, but with a UNIX/ Java twist: low-bandwidth, universal client access over any network connection to any UNIX or Java application.
At the core of the MetaFrame for UNIX product is a modified X11R6.3 server. This does not replace the X11 server supplied with most UNIX operating systems but is specifically used to enable ICA-connected sessions running on MetaFrame for UNIX. MetaFrame for UNIX runs all standard X11 applications using the modified X server rather than the native X11 server.
In operation, the modified X11 server talks to a UNIX-ported ICA stack (Winstation Driver, Protocol Driver, and Transport Driver), which performs an X-to-ICA conversion. This is key to delivering applications seamlessly to clients from all MetaFrame platforms.
In addition to the modified X11 server and ported ICA stack, MetaFrame for UNIX also provides an ICA browser for use in load balancing and client browsing, a "listener" to intercept incoming ICA connections, and a "Frame Manager," which manages all the sessions currently running on the server.
The same core functionality used by MetaFrame for UNIX to deploy X11 and other applications hosted on UNIX servers can also be applied to Java applications. At first, this capability may seem redundant: in theory, Java applications are already portable to any device. In reality, however, Java client-side application deployments still confront numerous challenges.
Downloading Java applications entails the use of the available client-server network protocol, which is often not optimized for low-bandwidth connections. This results in the major complaint about Java applications—that they are sometimes incredibly slow to download for operation. Operating the Java application, which is executed locally on a server, over a bandwidth-optimized ICA connection provides a higher performance solution to this issue.
Java applications also fall prey to peculiarities in the Java Virtual Machine that runs on the client system. Not all JVMs are the same, and it is often the case that a Java application that runs perfectly in one JVM behaves very differently in another. MetaFrame for UNIX solves this problem by executing Java applications within the server's JVM environment.
Utilizing a single, server-based JVM also saves time and money when developing and testing Java applications developed in-house. Once the application is working in the server JVM, it can be deployed instantly to any ICA client device.
It should also be noted that the Java Virtual Machine is typically a large piece of software. While the development of an embedded JVM is under way, ultra-thin client devices lack the capacity to run a JVM that offers sufficient features or performance. This issue is removed through the use of the MetaFrame for UNIX solution.
In summary, MetaFrame for UNIX Operating Systems can be an important adjunct to Windows-based MetaFrame servers in heterogeneous server environments. MetaFrame for UNIX can be included in server farm and load-balancing schemes, and applications hosted on MetaFrame for UNIX systems may be published individually or as part of integrated Web Interface Access Centers for integrated access by end users.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment