16. NFuse Integration NFuse is the focal point to any MetaFrame installation and in return one of the most important. A good friend of mine taught me that perception is reality and NFuse is the first impression your users will have of their new Citrix environment. Keeping to this philosophy, a branded Project Columbia NFuse 1.61 site accomplishes all of this while giving you simplified installation and configuration. Not to mention it looks very professional. In order to implement a full featured NFuse web site, follow the following three steps. Install the NFuse 1.61 Web Extensions (standalone web server only) Extract and configure Project Columbia Brand your NFuse web portal. You will also want to make sure you follow the security recommendations for the particular web server that you are using.
16. 1. How to install NFuse 1.61 Web Extensions In order to run NFuse on a standalone web server you will be required to install the NFuse web extensions. By default setup will install NFuse in to the C:\Program Files\Citrix\NFuse directory. Note: If you are going to be running NFuse from a MetaFrame server then you will want to skip this step) 1. Click Next 
2. Click I accept the license agreement radio button and click Next. 
3. You will want to read the README file for additional information and click Next. 
4. Click the OK to restart IIS radio button and click Next 
5. Click Next to accept the default location for the NFuse files. Make note of this directory for this is the directory that NFUSE.TXT and NFUSE.CONF file resides. 
6. Enter the name of a MetaFrame server in your farm that is running the XML service and the port that the XML server is listening on and click Next Note: If you are unsure of the port XML is listening on, you will be able to obtain that information through servers properties - MetaFrame Settings tab in the CMC. 
7. You are now prompted to enter your web root location and click Next. 
8. The next screen asks you if you would like to install the latest ICA client CD to the ICAWEB directory for use in your NFuse portal. I highly recommend it! Enter the location of the ICAWEB folder and click Next Note: If you do not have access to the latest version (6.20) of the Citrix ICA Clients CD then you will need to download them from: Citrix Downloads site - click on Download NFuse 1.61 Click Yes to accept the license agreement click Generic Web-based ICA Client Install Package Once downloaded you will want to extract the ICAWEB620.EXE file to C:\ICACLIENT then click Browse and select C:\ICACLIENT\ICA620\ folder and click OK Click Next 
9. Click Next to install NFuse 1.61 
10. NFuse will now copy files, creates registry entries and register .DLLs. Note: You might experience an error when installing NFuse. If so then please refer to: 1.1.1 Error installing NFuse 1.61: The installation exited prematurely due to an error. 
11. Click Finish. You have a successfully installed NFuse and are ready to proceed in implementing Project Columbia. You will now want to test your NFuse installation. To do this you will need to open your web browser and in the address box type: Enter a username, password and domain and verify that you are able to launch a published application.
The following tech notes are available for NFuse 1.61. 16. 1. 1 Error installing NFuse 1.61: The installation exited prematurely due to an error. You may receive the above error when installing NFuse 1.61 onto a MetaFrame XP FR1 server. During the installation of NFuse 1.61, Setup attempts to modify the contents of the PNAgent folder beneath your Web server's document root directory (\InetPub\wwwroot\PNAgent). If your Web server is also a MetaFrame XP server with Feature Release 1, the PNAgent folder may already exist and be in use, preventing the NFuse 1.61 installer from completing. The error message you receive during installation is: "The installation exited prematurely due to an error." To resolve this issue, rename the \InetPub\wwwroot\PNAgent folder to PNAgent.bak before running the NFuse 1.61 installation program. If you made modifications to your PNAgent files, copy them from PNAgent.bak to the newly created PNAgent folder when NFuse 1.61 installation is complete. 16. 1. 2 NFuse 1.61 can not be uninstalled from when drives have been remapped If NFuse 1.61 is installed onto a MetaFrame server whose server drives have been remapped, NFuse 1.61 fails to uninstall from the On MetaFrame servers where the server drives were remapped during the MetaFrame installation, NFuse 1.61 fails to uninstall because the uninstall script assumes the existence of a C: drive. To resolve this issue, temporarily substitute a C: drive for the drive where NFuse 1.61 is installed. For example, if you remapped your server drives from C: to M: during the MetaFrame installation, issue the following command from a command prompt before attempting to uninstall NFuse 1.61: SUBST C: M:\ This SUBST command creates a temporary C: drive whose contents exactly match the contents of the M: drive. NFuse 1.61 can now be uninstalled. When the uninstall is complete, issue the following command to remove the drive substitution: SUBST C: /d
16. 1. 3 How to change the NFuse.HTM file to point to the correct web site path The NFuse.htm file is a java script that redirects the users to a sub directory, the location of your NFuse portal. This is also a great file to use if the web server you are using does not have a default web page in the root of the web site. If this is the case, you can copy this file to the root and then point it to the directory of your NFuse portal and change its name to default.htm. When users hit your server, they will be automatically redirected to the NFuse portal. If you are running NFuse 1.61 from a MetaFrame server, your web server might be configured to use the NFuse.htm file located in the root of your web server. If this is the case, you might experience problems if you upgraded to NFuse 1.61 because the NFuse.htm file that is installed with NFuse 1.61 points to the old directory for the NFuse 1.6 or below portal and not the new location for the NFuse 1.61 web site. If you have created your own or you are using Project Columbia you will want to change this file to point to the proper location. 1. Browse to the location of the NFuse.htm file and open it with NOTEPAD. As shown below, it points to the file. If this is the correct location of your NFuse portal then you can close this file and proceed to the next section. 
2. Type the new location of your NFuse portal as show below. 
3. Save the file and test your NFuse site.
16. 2. How to Install and Configure Project Columbia 6.30 Now that you have the NFuse web extensions installed and you have verified that the default NFuse 1.61 website is functioning properly you are ready to install and configure Project Columbia. All you need to do to install Project Columbia is to extract the contents of the Columbia zip file to a folder, of your choosing, beneath your web sites root directory. (By default c:\inetpub\wwwroot\). Thats it! And configuring it is nearly as simple. A huge percentage of the configuration of Project Columbia is done through the following config.txt file located in the config subfolder to the Columbia website. After making changes to the config.txt file, you must restart the World Wide Web Publishing service or unload the ASP application in Internet Services Manager, then point your browser to default.htm. The following requirements apply to the web server hosting the Project Columbia files: Windows 2000 with IIS 5.0 NFuse 1.6 Active Directory Services Interface (ADSI) 2.5 or later VBScript Scripting Engine 5.0 or later Active Server Pages 3.0 or later 16. 2. 1 How to Install Project Columbia 1. Download and extract the contents of the .zip file to a folder of your choosing. Note: you can download Project Columbia v6.01.037 from: http://www.dabcc.com/nfuse/Files/Columbia_6.01.037.zip 2. Once you have extracted the files open the folder, where you extracted them, and select all the files and then right click on them and select Copy. 
3. Browse to your web server root directory (by default C:\inetpub\wwwroot) and create a new folder. Note: Give thought to the name of this folder for it is the name your users will be browsing to. I sort of like calling it portal. 
4. Open the folder you created in the above step and right click and select Paste. 
5. Now that you have copied Project Columbia to your web site folder you are ready to configure it. Double Click on the CONFIG folder to open it. 
6. In the CONFIG folder there wil be three files. Double click the config.txt file to edit it. Note: the help.htm file is listed below. 
Note: All administration is done through the config.txt file. At NO time should you edit any other file. Below you will find the default config.txt file that you will edit and the help.htm file that explains each of the settings in detail. After you have made your changes and saved the config.txt file you will need to restart the IIS services. You can do this from: Click Start Run type: IISRESET Click OK. 16. 2. 2 How to configure Project Columbia Project Columbia includes a file named config.txt where you indicate your preferences regarding how its features should be implemented. This section describes each feature of Project Columbia and explains how it is implemented. For features that require changes to the config.txt file, the syntax is provided. The default config.txt file is shown here: ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; Citrix NFuse Project Columbia ; Please read help.htm before configuring this file. ; For changes to take effect you must restart the World ; Wide Web Publishing Service ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; NFuse_ColumbiaVersion=6.01.037 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; Configuring XML Services ; ; NFuse_Farm=Farm 1 name, 0, server1, server2, server3 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; Automatic Client Delivery NFuse_PushWin32WebClient=NULL NFuse_Win32WebClientVersion=6,20,986,0 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; Changing expired passwords NFuse_ChangePasswordMode=ICA NFuse_ICAModePasswordChangeServer=default ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; NAT, Proxies and Port Address Translation ;NFuse_InternalNetworks=192.168. ;NFuse_PortMap=10.3.2.1:1494, 206.35.17.10:4001 ;NFuse_PortMap=10.3.2.2:1494, 206.35.17.10:4002 ;NFuse_PortMap=10.3.2.3:1494, 206.35.17.10:4003 ;NFuse_IgnorePortMaps=10., 192.168. ;NFuse_ProxyAddr=206.12.34.56, 192.168.0.1 ;NFuse_ReverseProxyAddr=192.168.1.1 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; Application launch and display options NFuse_NumberOfColumns=3 NFuse_IconPercent=100 NFuse_EmbedApplications=Off NFuse_EmbedMethod=3 NFuse_AllowCustomizeLaunchType=Off NFuse_ShowAppIcons=1 NFuse_ShowAppNames=1 NFuse_ShowAppDescriptions=0 ;NFuse_HiddenApps=app1, app2, app3 ;NFuse_HiddenFolders=folder1, folder2, folder3 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; Citrix Secure Gateway and SSL Relay integration ;CSG_Enable=On ;CSG_Gateway=your.server.fqdn.com:443 ;CSG_STA=http://sta_server1:80/Scripts/CtxSta.dll ;CSG_STA=http://sta_server2:80/Scripts/CtxSta.dll ;CSG_STA=http://sta_server3:80/Scripts/CtxSta.dll ;CSG_InternalNetworks=10.,192.168. ;NFuse_SSLPrivateRootCertName=myroot.cer ;NFuse_SSLPrivateRootCABFile=myroot.cab ;NFuse_SSLPrivateRootJARFile=myroot.jar ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; Other miscellaneous features ; NFuse_DomainList=DOMAIN1, DOMAIN2, DOMAIN3 NFuse_HideSingleDomainList=0 NFuse_PopulateUserName=0 NFuse_DisableRightClick=0 NFuse_LaunchSingleApp=0 ;NFuse_IdleSessionTimeout=20 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; Logging and Debugging NFuse_Debug=0 NFuse_LogGatewayErrors=0 NFuse_LogGatewaySuccess0 NFuse_LogSignonErrors=0 NFuse_LogSignonSuccess=0 | Configuring XML Services By default, Columbia will connect to the XML service that you provided when you installed NFuse. However, this address can be replaced with one or more other XML services using the NFuse_Farm preference in config.txt. If NFuse_Farm entry exists in config.txt, the default XML service address and port listed in your NFuse.conf file will be ignored. Syntax: NFuse_Farm=Farm-name, load-balance-flag, xml-addr[:xml-port][|ssl-addr[:ssl-port]] [, ...] where: Farm-name is a string of your choice describing the server farm (it does not have to match the actual farm name) load-balance-flag is a zero (0) or one (1) indicating whether or not the XML services listed should be load-balanced in a round-robin fashion xml-addr is the name or IP address of a MetaFrame server running the Citrix XML service xml-port is the TCP port number where the XML service is running (default 80) ssl-addr is the name of the MetaFrame server running the SSL Relay service ssl-port is the TCP port number where the SSL Relay service is running (default 443) Multiple XML/SSL services may be listed, separated by commas. If load-balance-flag is 0, then Columbia will treat the list as a backup server list: the first server will always be used, unless it becomes unavailable. If load-balance-flag is 1, then the list of XML services will also be transposed with each logon request to impose round-robin load-balancing across all XML servers in addition to treating the list as a backup server list. If no port numbers are specified, Columbia will assume that all XML services are running on port 80 and all SSL Relay services are running on port 443. If no SSL Relay address is provided, Columbia will communicate directly with the XML service. Note: All MetaFrame servers should be running the XML service on the same port. To aggregate applications from multiple server farms, simply enter additional NFuse_Farm lines in config.txt. There is no limit to the number of farms that can be aggregated this way, but all server farms must be accessible by a single user account. Columbia does not provide a single sign-on feature for server farms in multiple security scopes. Each server farm may contain a different number of XML services. The load-balancing option may be configured differently for each farm. Examples: NFuse_Farm=Citrix Applications, 1, ctxserver1, ctxserver2, ctxserver3
Single server farm load-balanced across three XML services, all running on port 80. No SSL Relay. NFuse_Farm=Human Resources, 0, HRMetaFrame:8080
NFuse_Farm=Sales, 1, 10.1.1.1, 10.1.1.2, 10.1.1.3, 10.1.1.4
NFuse_Farm=Marketing, 0, mktsrv.company.com:8000
Aggregating applications from three server farms, where only the Sales farm is configured for XML service load-balancing
Configuring SSL Relay Services To specify SSL Relay addresses for an XML Service identified with the NFuse_Farm preference, append a vertical stroke "|" to the XML service address, followed by the server name and TCP port of the SSL Relay server. If no port is specified, 443 is assumed. Important: The server name must exactly match the subject name of the server certificate that you installed on the MetaFrame server when you configured the SSL Relay Service. Additionally, the root certificate of the certification authority who issued your MetaFrame server certificate must be installed on the NFuse web server as a Trusted Root Certification Authority. Example: NFuse_Farm=Company Apps, 0, srv01:8080 | srv01.company.com, srv02:8080 | srv02.company.com
Single server farm using SRV01:8080 as the primary XML service and SRV02 as a backup. SSL Relay is configured at port 443 on each of the MetaFrame servers with SSL server certificates matching their fully-qualified domain name. Automating Win32 Web Client Downloads For Windows 32-bit client machines, the ICA client can be delivered automatically. Columbia implements this feature by including an ActiveX control in a hidden HTML frame after the user has logged in. The required CAB files for this feature exist beneath the clients subdirectory. Two client packages are included: a full Program Neighborhood ICA client (3.4 MB) and a "thin" ICA client (1.6 MB). The full client includes a graphical Program Neighborhood interface that may be used without NFuse. The thin client contains no user interface, requiring users to access applications through NFuse. You can control which client is delivered by Columbia with the following entries in config.txt: NFuse_PushWin32WebClient=ClientPackage
NFuse_Win32WebClientVersion=ClientVersion Where: ClientPackage is one of the following: Thin - downloads the thin 1.6 MB ICA client, wficat.cab (default) Full - downloads the full 3.4 MB ICA client, wfica.cab Off - no client is automatically delivered to the user. (Identical to NFuse 1.6) ClientVersion is the version number of the CAB files as it would appear in an HTML <OBJECT> tag. The initial value is 6,2,985,0. If you replace the cab files beneath the client directory with a newer ICA client version, update the NFuse_Win32WebClientVersion value with the new client version number in order to deliver the upgraded client to users that already have an older ICA client. For non-Windows clients, client detection and download behavior is identical to NFuse 1.6. Note: These settings are ignored if Columbia is configured for embedded Java applet delivery as detailed in the Embedding published applications section below. Changing Expired Passwords If a user logs onto the Columbia web site with a password that has expired, there are three ways that Columbia might respond. In "ICA mode", the user is prompted to make an ICA connection to a MetaFrame server where they would be prompted by the normal logon dialog box to change their password. In "HTML mode", an HTML form is returned allowing the user to change their password through the web page. Finally, you can opt for "null", which will not prompt the user to change their password. To control this behavior, use the NFuse_ChangePasswordMode setting in config.txt. The syntax of this item is: NFuse_ChangePasswordMode=ICA | HTML | Null Each of the three modes is explained below. 1. ICA Mode With NFuseChangePasswordMode=ICA, a link is shown for users who have entered expired credentials after the error message in the NFuse Message Center that reads "Click here to change your password." This link initiates an ICA session to a MetaFrame server, where the user should be prompted by that MetaFrame server's operating system to change their password. Once the password change is successful, the user is logged out. At this point they may log into NFuse using their new password. By default, the MetaFrame server to which the user is connected will match the MetaFrame server hosting the XML service when the expired credentials were discovered. An additional entry in config.txt allows this address to be overridden should you wish to delegate a different server for password changes: NFuse_ICAModePasswordChangeServer=default To specify a different server, change this value from default to the name or IP address of the MetaFrame server of your choice. Use the MetaFrame server's internal IP address and clients subject to alternate addressing, port mapping or proxy servers will be able to connect. 2. HTML Mode With NFuse_ChangePasswordMode=HTML, when the user logs in with a password that has expired, an HTML form pops up allowing the user to change their password through the web server. Once logged in, a key icon appears allowing the user to change their password at any time, regardless of whether it has expired. Important: In order for HTML-mode password changes to succeed, either the web server must be a domain controller in the same domain in which the user account resides, or the Columbia web pages must be served by a Domain Admin user account instead of the IUSR_MachineName account. To serve the Columbia web pages with a Domain Admin account, follow these steps: 1. On the web server, launch Internet Services Administration 2. Right-click the folder containing the Columbia web pages and select "Properties..." 3. Click the "Directory Security" tab 4. In the "Anonymous Access and Authentication Control" section, click "Edit..." 5. In the Anonymous Access section, click "Edit..." to change the account used for anonymous access 6. Click the "Browse..." button and locate a user account that is a member of the Domain Admins group 7. Click OK three times. Currently, HTML mode is not capable of changing Novell NDS passwords. For expired Novell accounts, use ICA mode. 3. Null mode When NFuse_ChangePasswordMode=null, behavior is identical to NFuse 1.6: an error is returned but the user must change their password without using NFuse to continue.
Navigating a NAT firewall If external users need to traverse a firewall performing Network Address Translation (NAT), then rendered ICA files sent to those users will need to include the MetaFrame server's alternate (external) address instead of its internal address. Each MetaFrame server should have a unique alternate address; to route all users through a single external IP address, use the Port Address Translation feature described below. To configure alternate addresses, run ALTADDR.EXE from the command prompt of each MetaFrame server. The syntax for this preference is: NFuse_InternalNetworks=IP-prefix [, ...] where all internal clients have IP addresses beginning with IP-prefix. When configured for NAT, Columbia will detect each user's IP address and return the internal or external address of each MetaFrame server as appropriate. In order to configure Columbia for NAT, you must specify the network prefixes for all internal networks. For any user whose IP address does not begin with one of the specified prefixes, the alternate address will be returned. For example, if your internal network consists of some 10.0.0.0/8 addresses and some 192.168.0.0/16 addresses, you would add the following line to config.txt: NFuse_InternalNetworks=10., 192.168. Any client whose IP address does not begin with "10." or "192.168." would then receive the alternate address from each MetaFrame server instead of its internal address when launching applications. Important: NFuse.conf also allows you to configure the alternate address behavior for the web site. In order for Columbia to selectively render ICA files with alternate addresses based on the client's IP address, NFuse.conf must be configured with AlternateAddress=Off. If NFuse_InternalNetworks is blank or absent, the AlternateAddress setting in NFuse.conf is honored. Port Address Translation With Port Address Translation, you can define mappings from internal MetaFrame IP addresses to external IP addresses and ports. Using this feature it is possible to route traffic to all internal MetaFrame servers through a single external IP address. These settings will override the Alternate Address preferences defined above and only apply to clients who are not on any of the networks defined by NFuse_IgnorePortMaps. Two preferences work to enable this feature, NFuse_PortMap and NFuse_IgnorePortMaps. The syntax for each is: NFuse_IgnorePortmaps=IP-prefix [, ...]
NFuse_PortMap=internal-address,external-address[:port] Enter one NFuse_PortMap line for each MetaFrame server. For example, suppose you have three MetaFrame servers on the 10.3.2.0 subnet but only a single Internet IP address, 206.35.17.10, on which you have configured port address translation routing external traffic from ports 4001-4003 to the three internal MetaFrame servers on port 1494. You would configure the items as follows: NFuse_IgnorePortMaps=10.
NFuse_PortMap=10.3.2.1:1494, 206.35.17.10:4001
NFuse_PortMap=10.3.2.2:1494, 206.35.17.10:4002
NFuse_PortMap=10.3.2.3:1494, 206.35.17.10:4003 This example assumes that AddressResolutionType=ipv4-port in your NFuse.conf file. If you change the address resolution type in NFuse.conf, you must alter the format of the internal addresses on each NFuse_PortMap line to match your new setting. The external IP address need not be the same for all servers. But when it is, the mapped port numbers must be unique for each MetaFrame server. Important: For this feature to work, you must have configured Port Address Translation on your firewall so that traffic from the configured external ports reaches the appropriate internal destination. Navigating Client-side Proxy Servers and Reverse Proxy Servers The syntax for this preference is: NFuse_ProxyAddr=proxy-external-ip, proxy-internal-ip[:port] where proxy-external-ip is the external interface of the proxy server, from the client's perspective. This interface should be capable of routing traffic to the NFuse web server and MetaFrame servers. proxy-internal-ip is the internal interface of the proxy server from the client's perspective. The client will proxy ICA traffic through this interface. port is the TCP port number where proxy-internal-ip is listening for SOCKS proxy connections. If no port is specified, 1080 is assumed. For example, suppose clients are on a non-routable 192.168.0.0/24 network accessing your NFuse web server and MetaFrame servers through a SOCKS proxy server connected to the Internet. The internal interface of the proxy server to which the clients connect is 192.168.0.1 and its external interface on the Internet is 206.12.34.56. You would add the following line to config.txt to allow ICA traffic from the non-routable clients to traverse the proxy server: NFuse_ProxyAddr=206.12.34.56, 192.168.0.1 To enable connectivity through multiple proxy servers, enter additional NFuse_ProxyAddr lines. This feature may also be used to accommodate Citrix Extranet clients running in localhost proxy mode. (It is not necessary for clients using the Extranet SHIM package.) For example, if your Extranet server's inside IP address were 10.9.100.100, you would add the following line to config.txt: NFuse_ProxyAddr=10.9.100.100, 127.0.0.1:1080 Reverse Proxy Servers Reverse Proxy Servers, such as Microsoft's Internet Security & Acceleration Server, proxy connections from the Internet and communicate with internal machines on their behalf. This can cause problems with Project Columbia's NAT, Port Mapping or CSG preferences by falsely identifying external users as belonging to the internal network. To allow clients who are routed through a reverse proxy server to be properly recognized as external, specify the internal IP address of the reverse proxy server in config.txt. For example: NFuse_ReverseProxyAddr=192.168.1.1 If more than one reverse proxy server is in use on your network, enter additional NFuse_ReverseProxyAddr lines.
Integrating with Citrix Secure Gateway or the SSL Relay Service In a Citrix Secure Gateway (CSG) deployment, you may use Project Columbia instead of the sample NFuse site included with CSG. To do so, follow the CSG documentation guidelines for installing the Secure Ticket Authority (STA) and the CSG Gateway Service. Then configure the following entries in Project Columbia's config.txt file: CSG_Enable=On
CSG_Gateway=csg-gateway.company.com:443
CSG_STA=http://STA-server-1:80/Scripts/CtxSta.dll
CSG_STA=http://STA-server-2:80/Scripts/CtxSta.dll (optional)
CSG_STA=http://STA-server-3:80/Scripts/CtxSta.dll (optional)
CSG_InternalNetworks=IP-prefix [, ...] where: csg-gateway.company.com is the fully-qualified domain name (FQDN) of the server running the Citrix Secure Gateway service. This FQDN must exactly match the subject name of the server certificate installed on the CSG gateway server, and all clients must be able to resolve this FQDN to the gateway's external IP address. STA-server-1 is the server name or IP address of a Secure Ticket Authority. Only one STA server is required for normal operation, but up to 8 STA servers may be listed for failover purposes. IP-prefix is a comma-separated list of client IP address prefixes for whom CSG should not be used. For example, if CSG_InternalNetworks=10.,192.168. then any end user whose IP address begins with "10." or "192.168." will connect directly to MetaFrame servers without using CSG. Using Your Own Private SSL Certificates If you have configured CSG or the Citrix SSL Relay service with a server certificate obtained from a private certification authority (e.g. Microsoft Certificate Services), you must install your CA's root certificate onto any client machine in order for the ICA-SSL connection to succeed. In the case of the embedded ICA Java client, the root certificate must be packaged into a .cab file (for Internet Explorer users) or a .jar file (for Netscape users). The .cab and .jar files must then be copied to your web server beneath Columbia's "clients" subdirectory. The steps for packaging and using a private root certificate with Columbia and the ICA Java client are as follows: 1. Export your private root certificate to a file named myroot.cer. You specify this certificate name for the NFuse_SSLPrivateRootCertName entry in config.txt. 2. Download an appropriate Java Development Kit (JDK): o To create .jar files for Netscape and other JVMs, download a copy of the Sun JDK from http://java.sun.com/ o To create .cab files for Internet Explorer, download the Microsoft SDK for Java from http://www.microsoft.com/java/download.htm 3. Create the Java archive: For example, to make a .jar file containing the certificate myroot.cer o Type the following at the command line, after installing the Sun JDK tools and putting them on your PATH: jar -cf myroot.jar myroot.cer This command generates an archive called myroot.jar. You specify this archive name for the NFuse_SSLPrivateRootJARFile entry in config.txt. To make a .cab file containing the certificate myroot.cer: o Type the following at the command line, after installing the Microsoft SDK for Java and ensuring the CABARC tool is on your PATH: CABARC n myroot.cab myroot.cer This command generates an archive called myroot.cab. You specify this archive name for the NFuse_SSLPrivateRootCABFile entry in config.txt. 4. Copy the myroot.jar and myroot.cab files you created into Columbia's clients subdirectory. 5. Add the following entries to config.txt: NFuse_SSLPrivateRootCertName=myroot.cer
NFuse_SSLPrivateRootCABFile=myroot.cab
NFuse_SSLPrivateRootJARFile=myroot.jar 6. Restart IIS by typing 'iisreset' in order for the config.txt changes to take effect. Altering display options Columbia allows you to control the size of application icons and arrange the icons into any number of columns. By default, icons are 32x32 pixels and grouped into 3 columns. The syntax for these preferences are: NFuse_NumberOfColumns=integer
NFuse_IconPercent=percentage where integer is the desired number of columns (default 3) and percentage is the percentage by which you wish to scale each icon's width and height. For example, if NFuse_IconPercent=50, icons will be drawn at 16x16 pixels. You can also set default display options with the following preferences: NFuse_ShowAppIcons=1 NFuse_ShowAppNames=1 NFuse_ShowAppDescriptions=1 These settings represent web server defaults that may be overridden by the end user if AllowCustomizeSettings=On in NFuse.conf.
Embedding published applications By default, NFuse 1.6 will launch applications in a separate seamless window. Columbia allows you to embed published applications into an HTML page using the ActiveX, Netscape plugin, or Java applet ICA clients. This preference is controlled by two settings in config.txt NFuse_EmbedApplications=Off | On
NFuse_EmbedMethod=1 | 2 | 3 where NFuse_EmbedMethod numbers correspond to the following choices: ActiveX Control Netscape Plugin Java Applet When NFuse_EmbedApplications=On, applications launch in an HTML window with the preferred ICA client embedded into the window. If desired, the webmaster may allow end users to choose their own method for launching applications. This preference is controlled by the following setting: NFuse_AllowCustomizeLaunchType=Off | On If NFuse_AllowCustomizeLaunchType=On, then users will receive a menu labeled "Client type" on the NFuse settings page allowing them to choose between launching applications with their native ICA client or embedding applications with any of the three browser embedding methods listed above. Note: In order for users to see the settings page, you must set AllowCustomizeSettings=On in NFuse.conf. Hiding published applications and folders In some cases, you may want to publish an application without allowing it to appear on the NFuse web page. Columbia allows you to hide applications by specifying the names of the applications you wish to hide. To remove published applications from view, specify their names in a comma-separated list for the NFuse_HiddenApps preference. For example: NFuse_HiddenApps=Microsoft Outlook, Excel, My Hidden App The application list is not case-sensitive, but must exactly match the name of the published application. Likewise, you may hide an entire folder from view with: NFuse_HiddenFolders=folder1,folder2,... Columbia also automatically hides any application that is currently disabled. Other miscellaneous features Columbia includes a few other usability enhancements: Use NFuse_DomainList to indicate a comma-separated list of domains to which the user might authenticate. Columbia creates a drop-down menu on the NT login page containing an item for each of the domains you list. If you list only one domain, the menu can be hidden by setting NFuse_HideSingleDomainList=1.
Note: This feature overrides the ForceLoginDomain entry in NFuse.conf. When NFuse_PopulateUsername=1, NFuse will extract the domain name and username from the user's workstation if they are already logged into the domain from their client machine. This option should only be used when all clients are known to be authenticated with NT credentials from their workstation before visiting the Columbia web site. Users who are not already authenticated to the domain will be prompted twice for their password. When NFuse_DisableRightClick=1, users are unable to use the right mouse button anywhere on the application page. This prevents users from saving ICA files to disk (though doing so is not a risk since Ticketing allows only one connection per ICA file). If a user's application set consists of only one application, Columbia will automatically launch that application immediately upon user logon if NFuse_LaunchSingleApp=1. On the login page, Columbia automatically focuses user input on the Username field (or the Password field if the username has been pre-populated). Set NFuse_IdleSessionTimeout equal to the number of minutes after which an idle web browser will be logged out of their NFuse session. If no user activity is registered by the web server for this number of minutes, the user will need to re-authenticate to the web server before they are able to continue launching applications. By default, the session timeout is inherited from the properties of your web server. This setting has no effect on ICA sessions that have already been launched; to control timeout behavior for existing ICA sessions, use Citrix Connection Configuration on the MetaFrame server. Logging and Debugging To assist you in configuring Columbia, the following preferences may be set in the config.txt file: NFuse_Debug=1
NFuse_LogGatewayErrors=1
NFuse_LogGatewaySuccess=1
NFuse_LogSignonErrors=1
NFuse_LogSignonSuccess=1 When NFuse_Debug=1, a table of web server variables is appended to the bottom of each page, allowing you to view any Application variables, Session variables, Cookies or HTTP environment variables currently in use. In lieu of adding this line, you may also retrieve this information at any time by pointing your browser to http://server-name/path-to-Columbia/debug.asp. The other preferences govern what information is written to the config/columbia.log file. In order for logging to occur, the web server account (typically IUSR_MachineName) must have write access to the config/columbia.log file. Columbia appends information to this log file if any of the following preferences are set to 1: NFuse_LogGatewayErrors: any communication problems between the web server and the Citrix server running the XML service NFuse_LogGatewaySuccess: any successful enumerations from the Citrix server running the XML service NFuse_LogSignonErrors: any logon failures, including bad or expired passwords, invalid usernames, etc. NFuse_LogSignonSuccess: any successful logons 16. 2. 3 Known Issues and Limitations with Project Columbia When using the ICA Java client to connect to applications published with RC5 encryption, users are prompted again for their credentials by each MetaFrame server. This is a security feature of the ICA Java client that can not be disabled. Netscape 4.x for Macintosh does not fully support Java 1.1 applets. To use embedded Java applets with Netscape on a Macintosh, you must upgrade to Netscape 6.1. = 16. 3. How to Customize the Text Displayed in NFuse 1.61 NFuse 1.61 has the ability to be branded with custom text and graphics that you specify in a single file. Like the configuration settings the branding feature is configured through a single file, the NFUSE.TXT file located in the default NFuse directory. (C:\program files\citrix\nfuse\) In order to change the verbiage of the Columbia screens all you need to do is change the text in between the quotes. After making changes you will need to restart the IIS services. Start Run type: iisreset Note: Be very careful when editing this file. You will want to make a backup copy for disaster recovery. 
|