I have moved… 9 March, 2008
Posted by Melvin Porter in Uncategorized.Tags: Uncategorized
add a comment
Well I have spent way too much time transferring all my postings from my old blog to this one. Unfortunately there was no direct import option, so much of it was a manual process. Urrrgggh!
I hope you like it, it still needs a lot of work though.
Incidentally, after all this work I have done today… I’m going to take a break. I’ll be offline for a bit.
Cheers
Melvin 
Having trouble discovering a remote Presentation Server 4.5? 9 March, 2008
Posted by Melvin Porter in Citrix, XenApp/Presentation Server.Tags: Citrix, DCOM, Event ID 10006, Presentation Server, XenApp
add a comment
Is this the error you are getting ?
“Error: Errors occurred when using “Servername” in the discovery process“
Event ID 10006 with a source of DCOM appears with the following description: DCOM got error: “The component or the application containing component has been disabled…”
The Citrix knowledge base article explains as as follows…
The Access Management Console in Citrix Presentation Server 4.5 leverages MFCOM and CPSCOM interfaces. In order to use a remote Presentation Server in the Access Management Console discovery process, the remote Presentation Server must be enabled for network COM+ access. If the remote Presentation Server is not running Internet Information Services (IIS), then typically network COM+ access is not enabled.
Solution: It can be fixed in one of two ways. Either enable the Network COM+ access via Add/Remove WIndows Components or edit the Registry.
Find the complete solution here: http://support.citrix.com/article/CTX112853
New Courseware from Citrix 9 March, 2008
Posted by Melvin Porter in Certification, Project Delaware, XenApp/Presentation Server.Tags: Citrix, Project Delaware
add a comment
Citrix have invited CCI’s (Citrix Certified Instructors) to feed in their comments regarding up and coming courseware for Project Delaware. I would love to tell you all about it but it is all subject to NDA’s (Non Disclosure Agreements).
All I can say is… “It’s pretty cool.” I am really looking forward to the new product.
Heh heh heh! - that whet your appetitie, didn’t it.
Cheers
Melvin
Application Streaming – In XenApp 4.5 (Presentation Server 4.5) 9 March, 2008
Posted by Melvin Porter in Citrix, XenApp/Presentation Server.Tags: .RAD, Application Streaming, Citrix, Presentation Server, XenApp
add a comment
Application Streaming - In XenApp 4.5 (Presentation Server 4.5)
Citrix’s Admin Guide for Application Streaming says this:
The application streaming feature simplifies application deployment to end users. With the application streaming feature, you can install and configure an application on one file server and deliver it to any desktop or server on demand. Upgrading or patching an application is simple, because you are required only to update or patch an application stored in one place: on the file server.
But what is Application Streaming?
In a nutshell, Application Streaming involves profiling an application and storing that profile on a file server which can then be deployed to a client desktop. I always think of it as a mixture of Application Isolation Environment mixed with Installation Manager.
But what does profiling mean?
Profiling is the process of recording all the installation changes (registry, file system, plug-ins etc) of an application, and then compiling them into a profile file (e.g. *.profile).
But what if I use different client operating systems with different service pack levels?
A profile is made up of potentially many targets – one for each operating system, or service pack, or language or drive letter.
The trick is to ensure that there will be only one possible matching application to be streamed. That is to say, targets cannot overlap.
Targets will appear in the file system as *.cab files.
To clarify:
A Profile is made of targets.
PROFILE: Adobe
TARGET: Adobe: Windows XP
TARGET: Adobe: Windows XP + SP1
TARGET: Adobe: Windows 2000 Professional
TARGET: Adobe: Windows Server 2003
Ideally we would want to have one Profile with one Target, which suites all operating systems and service Packs etc.
How will you know if this will be the case? Testing, Testing and more Testing.
The application will be deployed to the client device if the client has the Streaming Client installed. If the client does not have the Streaming Client installed, then the application can be configured to either not launch or launch from the XenApp Server. The XenApp servers have the streaming client installed by default.
The process is of streaming is achieved as follows:
The client or server will receive a .RAD file from the web server. The .RAD file has instructions for the streaming client for setting up the isolation environment as well as the location of the file server which stores the .profile file. The .profile file has the targets which are then sent to the client device for launching in the isolation environment.
Useful links:
-
Application Streaming Video from Citrix – it lists all the links below.
- Streaming Guide CTX112526 Presentation Server 4.5
- Streaming Guide CTX113700 Presentation Server 4.5 Feature Pack 1
- Streaming Internals CTX110303
- Application Streaming: Delivery and Profiling Best Practices CTX114663
- Streaming Implementation Guide CTX113428
- Enhanced Security in Application Streaming for Desktops CTX110304
- Troubleshooting Application Streaming Issues CTX113304
- Citrix Support Forums: http://support.citrix.com/forums – Look for Application Streaming under Presentation Server 4.5 and Components.
Back up and restoring policies in XenApp 9 March, 2008
Posted by Melvin Porter in Citrix, XenApp/Presentation Server.Tags: Citrix, Policies, VB Script, XenApp
add a comment
Andrew reminded me of this one today…Ever wanted or needed to backup and restore your Presentation Server policies?
Mark Elliot posted a very handy little VB script to do just that.
Go to Brian Madden’s website to get it.
Full posting here: http://www.brianmadden.com/content/article/VB-Script-to-Backup–Restore-CPS-policies
How to create a Virtual PC environment 9 March, 2008
Posted by Melvin Porter in Certification.Tags: Virtual PC
add a comment
This isn’t strictly a Citrix article but it is useful nevertheless. My students often ask me how we create the virtual images that we use in class. I use both VMWare Player and Virtual PC 2007. Many students have used Microsoft’s Virtual PC 2007, but not many have actually set it up themselves. This is an excellent way of setting up some computers to assist you with your studies.
I will admit, I never compiled this little document – I lifted it from Trevor’s blog at www.grounding.co.za.
Thanks Trevor.
Download VPC2007 from Microsoft – it is free – get it here.
Install VPC2007. Be sure to have sufficient resources (CPU, memory etc.) on your computer to host the guest operating systems.
After you have installed Virtual PC on your machine, now is the time to create a VPC, follow the steps below:
Creating a Virtual Machine
To create a custom virtual machine
- Open Virtual PC Console.
- In Virtual PC Console, click New.
- In the New Virtual Machine Wizard dialog box, click Next.
- In the Options dialog box, click Create a virtual machine, and then click Next.
- In the Virtual Machine Name and Location dialog box, type a name for the new virtual machine, and then click Next.
By default, the wizard creates a new virtual machine configuration file (.vmc) and a new folder, both with the same name, in the My Virtual Machines subfolder of the My Documents folder. If you want to store the new folder and configuration file in a different location, type the full path for this location or click Browse to find it. - In the Operating System dialog box, in the Operating system list, select the operating system that you want to run on this virtual machine, or click Other if the operating system is not listed, and then click Next.
- In the Memory dialog box, do one of the following:
- To accept the recommended memory allocation, click Using the recommended RAM, and then click Next.
- To modify the recommended memory allocation, click Adjusting the RAM, change the setting by moving the slider or by typing the number of megabytes, and then click Next.
- In the Virtual Hard Disk dialog box, do one of the following:To use a previously created virtual hard disk
- Click An existing virtual hard disk, and then click Next.
- In the Virtual Hard Disk Location dialog box, type the name of an existing virtual hard disk file (.vhd).
- Select or clear the Enable undo disks check box, and then click Next.By default, the wizard looks for the virtual hard disk file in the My Documents folder. If the file that you want to use is in a different folder, type the full path for this folder or click Browse to find it.
To create a virtual hard disk for this virtual machine
-
- Click A new virtual hard disk, and then click Next.
- In the Virtual Hard Disk Location dialog box, type a name for the new virtual hard disk file, and then click Next.
By default, the wizard creates a new virtual hard disk file in the same folder as the virtual machine file. If you want to create the new file in a different location, type the full path for this location or click Browse to find it.
- Click A new virtual hard disk, and then click Next.
- In the Completing the New Virtual Machine Wizard dialog box, click Finish.
Install your operating system and software
- Open Virtual PC Console,
- In the list of virtual machines, click the virtual machine that you want to run, and then click Start.
- In the CD menu, choose Use Physical Drive D:.
You may use either physical drives or ISO images, if you use the ISO, choose Capture ISO image from the CD menu and specify the path to the ISO file
- Proceed to install your Operating System, register it and install service packs.
- Shut down your operating system and Commit Changes to disk.
Citrix XenApp or Windows Terminal Services? 9 March, 2008
Posted by Melvin Porter in Citrix, XenApp/Presentation Server.Tags: Citrix, Terminal Services, Windows Server 2008, XenApp
add a comment
Citrix XenApp or Windows Terminal Services? Like many people, you may be wondering whether to choose Citrix XenApp (the new name of Presentaion Server) or Windows Terminal Services. Well, I have done a bit of looking around and compiled these links. Hopefully this will help you to make an informed choice. No points for guessing which one I’ll choose!
Citrix XenApp and Microsoft Windows Terminal Services
Citrix XenApp on Microsoft Windows Terminal Services: A Feature Analysis
Citrix value add to Windows Server Terminal Services 2003
Citrix Presentation Server - A Product Overview
No doubt all this may change when more details emerge on Windows Server 2008 as well as Project Delware! I look forward to that.
Enjoy the weekend!
Looking for the Advanced Concepts Guide for PS 4.5 (XenApp) ??? 9 March, 2008
Posted by Melvin Porter in Citrix, XenApp/Presentation Server.Tags: Advanced Concepts Guide, Citrix, XenApp
add a comment
Advanced Concepts Guide for Presentation Server 4.5 (XenApp)
Citrix are testing a web-based version of the Adv. Concepts Guide rather than a .PDF format as in the past.
I hope they go back to the original .PDF format – much more portable.
You find the online version here… http://support.citrix.com/article/ctx114746
Health Monitoring and Recovery 9 March, 2008
Posted by Melvin Porter in Citrix, XenApp/Presentation Server.Tags: Citrix, EnableLB.exe, Health Monitoring and Recovery, Presentation Server, XenApp
add a comment
Another question from my class this week… (Way too much thinking going on there !!! )
One of the original actions that can be configured when a Health Monitoring and Recovery (HMR) test fails is to remove the server from the Load Balancing list. Sure that is great – but how do you put the server back onto the list after fixing the problem???
The server can be added by running EnableLB.exe
This little file can be found in C:\Program Files\Citrix\System32
To see the syntax simply open a CMD-Prompt and type
enableLB /?
Health Monitoring & Recovery – Feature Pack 1 9 March, 2008
Posted by Melvin Porter in Citrix, XenApp/Presentation Server.Tags: Citrix, Feature Pack 1, Health Monitoring & Recovery, Presentation Server, XenApp
add a comment
6 new health packs/tests released! With the PS 4.5 Feature Pack 1, there are 6 new health packs/tests. If you are just looking for these 6 new health packs, you can also download them from the following location (and install them on PS 4.5 Enterprise or Platinum servers) – http://support.citrix.com/article/CTX112805
- Microsoft Print Spooler test
Test ensures Microsoft print spooler reliability. It enumerates printers on the local server, enumerates printer drivers and print processors. Exercising these tasks is fundamental to gauge the health of the print service
- Citrix Print Manager Service test
This test verifies the health of the service by enumerating local session printers etc.
- Check DNS test
The Check DNS test by default will run a forward DNS lookup and a reverse DNS lookup to ensure that there are no DNS related errors that can degrade the health of the server.
- ICA Listener test
The responsibility of this test is to ensure that ICA clients can make a successful connection to the local server via the ICA protocol. This functionality is validated by pinging the ICA listener and monitoring the response.
- Check XML Threads
This test monitors to see if the XML service is getting overloaded with traffic. When this happens, Web Interface/PN Agent connections will suffer. This test will alert administrators that they may need to address XML server performance
- Check Local Host Cache test
This test is responsible for recognizing and responding to LHC corruptions and inconsistencies on the local machine that might have resulted from stale data left when removing a server and/or published application. LHC inconsistencies refer to duplicate entries or entries that do not match with the data store objects.
Security Alert – CTX116228 9 March, 2008
Posted by Melvin Porter in Citrix, Security, XenApp/Presentation Server.Tags: Citrix, MSI Log file, Presentation Server, Security, XenApp
add a comment
Under specific circumstances, the installation process for Citrix Presentation Server 4.5 and Citrix Desktop Server 1.0 could result in database credentials being written to an MSI logfile. From Citrix: http://support.citrix.com/article/CTX116228
Applies to:
- Presentation Server 4.5 for Windows Server 2003
- Citrix Presentation Server 4.5 for Windows Server 2003 Russian Edition
- Citrix Presentation Server 4.5 for Windows Server 2003 x64 Edition
- Citrix Presentation Server 4.5 for Windows Server 2003 Feature Pack 1
- Citrix Desktop Server 1.0
- Citrix Desktop Server 1.0 x64
Web Interface 5.0 Preview 9 March, 2008
Posted by Melvin Porter in Citrix, Project Delaware, XenApp/Presentation Server.Tags: Citrix, Presentation Server, Project Delaware, Thomas Koetzing, Web Interface, XenApp
1 comment so far
Have a look at Thomas Koetzing’s preview of the all new funky looking Web Interface 5.0 (Project Delaware) (on Windows Server 2008)
http://www.thomaskoetzing.de/index.php?option=com_content&task=view&id=249&Itemid=277
Project Delaware – Code name for next version of XenApp 9 March, 2008
Posted by Melvin Porter in Citrix, Project Delaware, XenApp/Presentation Server.Tags: Citrix, Presentation Server, Project Delaware, XenApp
add a comment
Project Delaware
…is the code name for the next version of XenApp (the new name of Citrix Presentation Server) and will be the first major release to support Windows Server 2008.
According Citrix’s Sridhar Mullapudi (product management team of Presentation Server):
“…we have been working on this release for almost 2 years. It has been a great journey and we know its importance. It resembles the journey that George Washington took to cross Delaware river in 1776 as part of the American Revolution. And that’s why we named it project Delaware.”
Sridhar Mullapudi goes on to point out that the next version will support XPS printing protocol, ClearType font smoothing , Special Folder Redirection (when user’s click on “My Documents” or “Desktop” in a published application, they can be redirected to their local device folders) and IPv6 support through Secure Gateway. Over and above this Citrix will extend the paltform by adding a brand new Web Interface with loads of end user usability enhancements, key application streaming enhancements, EdgeSight 5.0 and Preferential Load Balancing.
Want a preview of Preferential Load Balancing in Project Delaware?
Check it out… http://mfile.akamai.com/8296/wmv/citrix.download.akamai.com/8296/TechVidEnc/PLBDemo.asx
Keyboard layout not saving? IgnoreRemoteKeyboardLayout 9 March, 2008
Posted by Melvin Porter in Citrix, XenApp/Presentation Server.Tags: IgnoreRemoteKeyboardLayout, Keyboard layout
2 comments
I had this question pop up in the Citrix class I am currently teaching… (Hi Blair!)
When users log on to a Citrix session their keyboard layout changes … i.e. despite having it configured to EN-AU, it persistently switches back to EN-US keyboard layout.
I have seen this and it is very frustrating… luckily their is an easy fix. We simply tell the server to ignore the client’s keyboard layout and use the keyboard layout of user’s profile. How do we do this? We use a little registry tweak called IgnoreRemoteKeyboardLayout.
Microsoft Windows 2000 introduced the IgnoreRemoteKeyboardLayout server-side setting to resolve a problem with substituted keyboard layouts. Although Windows Server 2003 does not suffer from this problem, the setting lets a Windows 2000-based server use the keyboard layout and the locale that are in the user’s profile. The setting makes the keyboard layout and the locale controllable by using a logon script or a default profile. Be aware however that this solution may not work on your Windows Server 2003 server. Never fear there is a hot fix available: http://support.microsoft.com/kb/842136/en-us This problem was addressed in SP1.
1. On the Citrix / Terminal server, click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout
3. On the Edit menu, click Add Value, and then add the following registry information:
Value name: IgnoreRemoteKeyboardLayout
Data type: REG_DWORD
Value data: 1
Citrix Demos 9 March, 2008
Posted by Melvin Porter in Citrix, XenApp/Presentation Server.Tags: Application Performance Monitoring, Application Streaming, Automatic Password Reset, Citrix, Citrix Demos, Presentation Server, Single Sign-On, Smart Access, XenApp
add a comment
Go the the Citrix page to check out all the demos !
Citrix Presentation Server 4.5 Platinum Edition, featuring…
Smart Access
Application Streaming
Application Performance Monitoring
Single Sign-On
Automatic Password Reset
Citrix XenApp – The New Name For Citrix Presentation Server 9 March, 2008
Posted by Melvin Porter in Citrix, XenApp/Presentation Server.Tags: Citrix, Presentation Server, XenApp
add a comment
XenApp
The New Name of Presentation Server
-
End-to-end Windows application delivery
- Strongest security for applications and intellectual property
- Outstanding application performance over any network
- Fastest application delivery to all users – anywhere
- Continuous availability and reliable, fast application performance
- One interface, one logon, one great experience
XenApp supports many of today’s IT and business initiatives
Whoo hoo ! Passed the beta exam for Citrix Presentation Server 4.5: Support (264) 9 March, 2008
Posted by Melvin Porter in Certification, XenApp/Presentation Server.Tags: 1Y0-264, CCEA, CCIA, Citrix, Citrix Certification
add a comment
I recently got word from Prometric that I passed the beta exam for Citrix Presentation Server 4.5: Support exam (264).
THe CTX1264 course (1Y0-264 exam) is the replacement for the CTX 1258 course (1Y0-258 exam). The 1Y0-264 is a requirement for CCEA (Citrix Certified Enterprise Administrator)
The CTX1264 course is an ILT (Instructor Led Training) course which introduces the tools used to monitor the Presentation Server farm, record farm activity and generate reports. This course provides learners with the skills necessary to maintain data and server integrity and to scale, optimize and troubleshoot the Presentation Server farm.
It is a three day course
How to disable the Universal Printer Driver for specific printers 9 March, 2008
Posted by Melvin Porter in Citrix, Printing, XenApp/Presentation Server.Tags: Citrix, Presentation Server, Printing, Universal Printer Driver, XenApp
add a comment
Application Isolation Environments… Compatibility Issues 9 March, 2008
Posted by Melvin Porter in Citrix, XenApp/Presentation Server.Tags: AIE, Application Isolation Environments, Citrix, Presentation Server, XenApp
add a comment
Citrix link… http://support.citrix.com/kb/entry.jspa?entryID=9672
Enabling Access Management Console traffic across firewalls policy 9 March, 2008
Posted by Melvin Porter in Citrix, XenApp/Presentation Server.Tags: Access Management Console, Citrix, Firewall, Policies, Presentation Server, XenApp
add a comment
Citrix Link… http://support.citrix.com/kb/entry.jspa?entryID=6925
Office 2007 – known issues with PS 4.0 and 4.5 9 March, 2008
Posted by Melvin Porter in Citrix, XenApp/Presentation Server.Tags: Citrix, Office 2003, Office 2007, Presentation Server, XenApp
add a comment
Citrix link… http://support.citrix.com/kb/entry.jspa?entryID=11684
Bear in mind memory optimization is not supported on Office 2003 (I will need to verify if this applies to Office 2007 as well.)
EdgeSight 4.2 Licensing explained 9 March, 2008
Posted by Melvin Porter in Citrix, XenApp/Presentation Server.Tags: EdgeSight, Licensing
add a comment
Printers supported by HP for use with PS4.0 and PS4.5 9 March, 2008
Posted by Melvin Porter in Citrix, Printing, XenApp/Presentation Server.Tags: Citrix, HP, Presentation Server, Printers, Printing, XenApp
add a comment
Citrix link… to an HP .pdf file… http://support.citrix.com/kb/entry.jspa?entryID=10498
Supported Databases for PS 4.5 9 March, 2008
Posted by Melvin Porter in Citrix, XenApp/Presentation Server.Tags: Citrix, Data Store, Database, Presentation Server, XenApp
add a comment
Upgrading MSDE 2000 to SQL 2005 Express SP1 with PS4.5 9 March, 2008
Posted by Melvin Porter in Citrix, XenApp/Presentation Server.Tags: Data Store, Database, SQL 2005 Express, Upgrading MSDE
add a comment
Want to know how to upgrade Microsoft SQL Server Desktop Engine (MSDE) 2000 to SQL Server 2005 Express Service Pack 1 for use with Presentation Server 4.5.
Check out the following Citrix link… http://support.citrix.com/kb/entry.jspa?entryID=12816
What causes the ICA security access box to pop up sometimes and sometimes not when using web interface? 9 March, 2008
Posted by Melvin Porter in Citrix, XenApp/Presentation Server.Tags: Citrix, ICA, Presentation Server, Security, XenApp
add a comment
Check out CTX568194 - “ICA Client File Security: Web Client Drive Access and the Webica.ini File Explained” Knowledge Base article.
Speedscreen Local Text Echo for use with Web Interface with PS 4.0 9 March, 2008
Posted by Melvin Porter in Citrix, XenApp/Presentation Server.Tags: Citrix, Local Text Echo, Presentation Server, Speedscreen, SpeedScreen Latency Reduction, Template.ica, XenApp
add a comment
To enable SpeedScreen Latency Reduction for Web Interface applications, you must modify the Template.ica file with the following entries under the [NFuse_IcaWindow] section.
[NFuse_IcaWindow]
ZLKeyboardMode=1
ZLMouseMode=1
Now when you open ICA Connection Center, you will see SpeedScreen Latency Reduction = ON.
Securing Your Terminal/Citrix Servers 4.0 with The Security Configuration Wizard 9 March, 2008
Posted by Melvin Porter in Citrix, Security, XenApp/Presentation Server.Tags: Citrix, Presentation Server, Security, Security Configuration Wizard, Terminal Services, Windows Server 2003, XenApp
add a comment
Author: Michel Roth
Company: Thincomputing.net
Introduction
First up, you need to know that the Security Configuration Wizard requires Windows Server 2003 Service Pack 1. The Security Configuration Wizard is a free tool from Microsoft which you can use to secure your servers. The Security Configuration Wizard (SCW) is a so called the ”attack surface reduction tool”. It works by scanning your server to see what role (or roles) it has. Then it determines what the minimal software requirements for that role (or roles) are and allows you to disable everything else. This results in a Security Policy that you can easily apply to other servers which perform the same role(s). Since Terminal / Citrix server environments usually consist of many of the exact same servers, the Security Configuration Wizard is an excellent tool to secure these servers.
What does the Security Configuration Wizard Do?
Before you can use the Security Configuration Wizard you have to install it first: the Security Configuration Wizard is not installed by default. You have to add it via add/remove programs by adding the Security Configuration Wizard Windows Component.
Figure 1: Adding the Security Configuration Wizard Role
Once you’ve installed the Security Configuration Wizard you’ll find it under Administrative Tools > Security Configuration Wizard.
Alternatively you can just execute “scw.exe” and that will also start the Security Configuration Wizard.
The Security Configuration Wizard then takes you trough a multitude of steps where you have to input information about your server. Let’s take a look at what the Security Configuration Wizard configures:
First, it will ask you whether you want to create a new policy, edit an existing one, apply an existing one or roll-back an applied policy. The latter is particularly neat when you’re developing your specific policy and it turns out that you’ve been a tad bit too restrictive…
Next you will have to select a server which will serve as a template/baseline for this specific configuration. In our case, when using the Security Configuration Wizard to configure a Terminal/Citrix server make absolutely sure that the server you are using is indeed representative for all the other Terminal/Citrix servers you want to apply this policy to.
Figure 2: Selecting the template / baseline server
After the Security Configuration Wizard loads its configuration database, you’ll get to the actual configuring. Let’s take a look at what the Security Configuration Wizard configures:
Server Roles
Here the Security Configuration Wizard scans your server to see what role(s) are installed on the server. You can then select which roles you actually want to enable in the policy.
Client Features
The Security Configuration Wizard shows you what client roles are installed on your server. Here you can select which client features you want enabled.
Administration and Other Options
In this section, you can choose administration options such as error reporting and Terminal Server printer redirection, as well as other application options and Windows features that use services and ports. Note that all the options listed here are derived from the choices you made in the Server Roles section earlier.
Additional Services
Some services installed on your computer might not be in the Security Configuration Wizard database. These are the services that are shown in this section. Typically, Non-Microsoft services show up here. So this is where you’ll get to configure Citrix services.
Handling Unspecified Services
This is a really important one. In this section you’ll configure what the Security Configuration Wizard does with services that aren’t installed on this current server, when you are applying a Security Configuration Wizard policy to other servers. You can select one of two choices:
- Disable every service that isn’t in the current policy
- Do nothing to services that aren’t in the current policy
Figure 3: Disabling unspecified services
This is why it is so important that your template / baseline server is exactly the same as the servers you want to apply the Security Configuration Wizard policy to. If you do this correctly then you can easily select “Disable the service“. This setting is the recommended one if you want to thoroughly secure your Terminal / Citrix servers.
In the next Window you’ll get a summary of the configuration you specified. It shows you the current state of a service and the state of the service after your configuration has been applied. Note that your configuration is not applied yet.
Network Security
In this section of the Security Configuration Wizard you can configure Windows Firewall and IPsec. You can choose to skip this section completely, but it is recommended that you configure Windows Firewall and IPsec to facilitate optimal security.
Open Ports and Approved Applications
In this first section the Security Configuration Wizard shows you what ports were listening for the roles and components you selected in the previous sections of the Security Configuration Wizard. If an application uses more than one port, this can only determined by “hovering” over the description or by clicking on the triangle.
All the ports that you select can accept incoming connections, all other connections are dropped.
Figure 4: Selecting inbound ports and associated applications
In the next screen you will be asked to confirm the choices you made in the screen depicted above. Double-check to be sure that you have selected all inbound connections you need on your server because all other inbound traffic will be blocked.
Registry Settings
This is where you configure a number of settings of your server related to authentication protocols and LDAP and SMB signing. It’s imperative that you have a thorough understanding of what these sections mean. Like the wizard says, if you are not sure what to configure here, just skip this section. Not configuring these settings correctly will either result in problems ranging from the inability of clients authenticating to this server to opening up your network for hash-cracking attack attempts.
The settings that are covered are:
- Require SMB Security Signatures
- Require LDAP Signing
- Outbound Authentication Methods
- Outbound Authentication Methods Using Domain Accounts
- Outbound Authentication using Local Accounts
- Inbound Authentication Methods
- Registry Settings Summary
Audit Policy
In this final section the Security Configuration Wizard allows you to configure the audit settings for your server. The Security Configuration Wizard presents you with three choices:
- Do not audit
- Audit successful activities
- Audit successful and unsuccessful activities
What you select depends on your auditing needs. Know that the first choice naturally is the least demanding on your server and the latter the most demanding. It’s important to know that proper auditing can only be successful if you periodically review your (security) audit logs. Even better, use an automated system to review your (security) audit logs.
Another thing to know is that the Security Configuration Wizard also enables you to audit access to the file system. To this end the Security Configuration Wizard comes with the SCWAudit.inf, which configures system access control lists (SACLS). This ensures that your server records write access by any user to any executable or configuration files in the Windows directory structure, and changes to the state or configuration of Windows services. Outside of these objects there’s no additional SACLS configured. Remember that events that write to the Windows directory structure, such a Service Packs, create massive logs.
The settings made by the SCWAudit.inf are the only settings that can not be reverted by rolling back the Security Configuration Wizard settings. To roll back these settings (to the default SACLS) you have to import “DefaultSACLs.inf” from C:\WINDOWS\Security\Msscw\Kbs. Consult the Security Configuration Wizard for more information.
Terminal/Citrix Server Specific Configurations
When utilizing the Security Configuration Wizard to configure your Terminal/Citrix servers, it’s important to pay extra attention to the (additional) services section and to the ports section in network security.
For example when running the Security Configuration Wizard on a Citrix Presentation Server 4.0 Enterprise Edition server, you could encounter the following additional services:
Figure 5: Additional Terminal / Citrix Server specific additional services
Be sure to double check if all the services are shown in this window. Depending on your setup your server could have the following additional services running:
- ADF Installer Service
- Citrix CPU Utilization Mgmt/Resource Mgmt
- Citrix CPU Utilization Mgmt/User-Session Sync
- Citrix Licensing WMI
- Citrix Print Manager Service
- Citrix SMA Service
- Citrix Virtual Memory Optimization
- Citrix WMI Service
- Citrix XTE Server
- CitrixLicensing
- Client Network
- Independent Management Architecture
- License Management Console for Citrix Licensing
- MetaFrame COM Server
Again remember that this is your template server. If this, for example, is not the Citrix licensing server then the licensing components won’t show up here. Applying the resulting security policy to a server that is the Citrix licensing server could severely mess things up.
For strictly Terminal Server deployments, keep an eye out for services like Terminal Services Session Directory.
You also need to pay extra attention to the ports section of the Network Security component of the Security Configuration Wizard:
Figure 6: Configuring incoming ports for a Citrix Server
This is where you will be able to open up your system for incoming ports required by the software on your server. Citrix specific ports could be any of the following:
| Name |
TCP/UDP |
Port number |
| ICA |
TCP |
1494 |
| IMA |
TCP |
2512 |
| Presentation Server Console |
TCP |
2513 |
| SSL |
TCP |
443 |
| STA (IIS) |
TCP |
80 |
| TCP Browsing |
UDP |
1604 |
| XML (integrated with IIS) |
TCP |
80 |
| Citrix License Management Console |
TCP |
8082 |
| Presentation Server Licensing |
TCP |
27000 |
| Session Reliability |
TCP |
2598 |
Double-check if the incoming port for 1494 is detected; I’ve seen examples of when the Security Configuration Wizard does not detect the need for this incoming port. Citrix has a support article up on this. Read it here.
Also, don’t forget to think about other third party software, like agents for backup programs or other tools that add functionality to your Terminal Servers (Softgrid, WISDOM).
Advanced Configurations
Of course, like any good tool, the Security Configuration Wizard comes with a command-line version as well: scwcmd.exe. You can use Scwcmd for the following tasks:
- Configure one or many servers with an SCW-generated policy
- Analyze one or many servers with an SCW-generated policy
- View analysis results in HTML format
- Roll back SCW policies
- Register a Security Configuration Database extension with SCW
- Transform an SCW-generated policy into native files that are supported by Group Policy
That’s right, scwcmd allows you to transform a Security Configuration Wizard policy (.xml file) into a GPO. This is one of the powerful features of this tool. Remember that any Internet Information Services (IIS) settings that are defined in the SCW policy will be lost during the scwcmd transform operation because Group Policy does not support configuration of IIS settings.
Just link this GPO to the OU which holds the servers that you created this policy for and you’re done!
You can also customize the Security Configuration Wizard to include role definitions beyond the default set provided in Windows Server 2003 Service Pack 1. Microsoft has put up a detailed whitepaper on this.
Conclusion
There’s more than one way to skin a cat. You can for example use just Group Policy to control the state of the service. The real value of the Security Configuration Wizard lies in its name. In its last name actually: wizard. It walks you through every step needed to create a detailed security policy consisting of previously separate components of Windows security. The ability to export Security Configuration Wizard policies to a GPO makes for excellent integration with existing Active Directory infrastructures.
So as long you pay proper attention to selecting a appropriate template /baseline server, the Security Configuration Wizard is an excellent tool in helping you secure your servers.
