The Ultimate Citrix Install Guide 		 
 DABCC Home  |    MIAB eBook   |    Citrix Tips   |   MIAB 4.0   |    MIAB 3.0   |    MIAB 2.1   |    MIAB 1.0   |    Sponsors   |   Quotes    |    Site Map
1 - Preface
2 - Project Management
3 - Analysis Phase
4 - Design Phase
5 - Implementation Phase
  1. Implementation Overview

2. Prepare the Network Environment

3. Add Users to a Terminal Services Environment

4. 3rd Party IMA Data Store Installation Instructions

5. Install Operating System

6. Install MetaFrame XP

7. Tweak Windows 2000 / MetaFrame XP

8. Rapid Server Deployment

9. How to create a Zone & Move MetaFrame Servers to it

10. ICA Client Update Configuration Utility

11. How to Setup Automatic Reboot for MetaFrame Servers

12. Client Drive Mapping

13. Install Applications

14. Publishing through the Citrix Management Console

15. How to Build a Stable Printing Environment

16. NFuse Integration

17. Citrix Web Console (CWC)

18. How to Secure a Internet Information Services (IIS) Server

19. Citrix Management Console (CMC)

20. Microsoft Terminal Services License Server

21. Implement System Policies

22. Implementation - Checkpoint
6 - Readiness Phase
7 - Rollout Phase
8 - Appendix

7. Tweak Windows 2000 / MetaFrame XP

Now that you have installed MetaFrame and all of its components, we are ready to configure MetaFrame and Windows 2000 for optimum performance.

 

The following procedures are just a starting point for you to work with, you might need to add or remove some of the following procedures.  For a detailed list, please visit Rick Dehlingers MetaFrame Install & Tuning Tips document and Ricks new tuning tips web site:  http://www.tweakcitrix.com.   Its the bible of MetaFrame tips and tricks. 

 

Note:  The registry entries listed below have been scripted in to .REG files for your convenience.  If you received this document independently from the other material (doc templates, REG file zip) then you will need to download the latest version of this doc and all the registry files discussed below from http://www.dabcc.com/MIAB/files/Methodology in a Box1.0.zipAlso, most changes seen below are also configurable via the MIAB.ADM file as documented in the How to deploy MIAB.ADM later in this document.

 

Step

Description

1.

Remove / disable RDP-TCP Connection in Citrix Connection Configuration Utility

  • Start Programs Citrix MetaFrameXP   Citrix Connection Configuration Highlight rdp-tcp and press the delete key

 

2.

Remove the EVERYONE and GUEST account for security reasons on ICA-TCP connection in Citrix Connection Configuration Utility.

  • Start Programs Citrix MetaFrameXP   Citrix Connection Configuration Security Permissions 

 

3.

Enable Auditing in Local Security Policy

  • Start Settings Control Panel Administrative Tools Local Security Policy applet Local Policies Audit Policies folder Select the Success/Failure events you want to audit.
    • Account Logon Events: Success and Failure
    • Audit Logon Events: Success and Failure
    • Audit System Events: Failure

 

4.

Enable ICA Keep Alives. 

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Citrix]

"IcaEnableKeepAlive"=dword:00000001

"IcaKeepAliveInterval"=dword:0000003c

 

Registry File:  Enable ICA Keep Alives.reg

 

5.

Enable TCP Keep Alives. 

[KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]

"KeepAliveTime"=dword:0000ea60

"KeepAliveInterval"=dword:000003e8

 

Registry File:  Enable TCP keep alives.reg

 

6.

Clear the last persons name that logged into the server farm ,from the username field of the Microsoft Client. 

[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/policies/system]

DontDisplayLastUserName=1

 

Registry File:  DontDisplayLastUserName.reg

 


 

 

Step

Description

7.

Disable Client Audio Mapping [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\ICA-tcp]

"fDisableCam"=dword:00000001

 

Registry File:  disable client audio mapping.reg

 

8.

Disable Client COM Port Mapping [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\ICA-tcp]

 "fDisableCcm"=dword:00000001

 

Registry File:  disable client COM port mapping.reg

 

9.

Disable Dr Watson

 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug] "Debugger"=""

 

Registry File:  Disable Dr Watson.reg

 

10.

Disable paging of the Windows NT Executive [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]

 "DisablePagingExecutive"=dword:00000001

 

Registry File:  disable paging of the Windows NT Executive.reg

 

11.

Disable Roaming Profile Cache

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "DeleteRoamingCache"=dword:00000001

 

Registry File:  Disable Roaming Profile Cache.reg

 

12.

Set TcpMaxDataRetransmissions

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] "TcpMaxDataRetransmissions"=dword:0000000a

 

Registry File:  Increase Performance and Reliability over WAN links and the Internet.reg

 

13.

Disable NTFS last access time stamp [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem] "NtfsDisableLastAccessUpdate"=dword:00000001

 

Registry File: Prevent last access time stamp from being updated on NTFS.reg

 


 

 

Step

Description

14.

Enable ErrorMode 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows] "ErrorMode"=dword:00000002

 

Registry File:  Set ErrorMode.reg

 

15.

Disable the printer beep. Disable it to reduce bandwidth/increase performance.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\]

"BeepEnabled"=dword:00000001

 

Registry File:  Disable Printer Beep.reg

 

16.

Set Event Log to overwrite entries as needed with a log size of 2MBs [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application] "MaxSize"=dword:00200000 : "Retention"=dword:00000000  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security] "MaxSize"=dword:00200000 : "Retention"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System] "MaxSize"=dword:00200000 : "Retention"=dword:00000000

 

Registry File:  Set Event Log Parameters.reg

 

17.

Set User ICA-TCP Overrides [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\ICA-tcp\UserOverride\Control Panel\Desktop]

 "AutoEndTasks"="1"

 "MenuShowDelay"="10"

 "CursorBlinkRate"="-1"

 "DragFullWindows"="0"

 "WaitToKillAppTimeout" = "20000"

 "SmoothScroll" = dword:00000000

 "Wallpaper" = "(none)" 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\ICA-tcp\UserOverride\Control Panel\Desktop\WindowMetrics]

MinAnimate"="0"

 

Registry File:  Set WinStation Overrides.reg

 

18.

Disable print events from the Event Log [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers] "EventLog"=dword:00000000

 

Registry File:  Disable Logging of Print Events to the System Event Log.reg

 

19.

Disable Spooler errors from being displayed on the server console [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler] "ErrorControl"=dword:00000002

 

Registry File:  Surpress Spooler Error Messages.reg

 


 

 

Step

Description

20.

Disable print spooler notification dialog screen from being displayed on the server console  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers] "NetPopup"=dword:00000000

 

Registry File:  Turn off NetPopup.reg

 

21.

Disable the Alerter Service in the Services Applet.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alerter]

"Start"=dword:00000004

 

Registry File:  Disable Alerter Service.reg

 

22.

Set IgnoreLinkResolver entry to fix shortcuts resolving to UNC paths issue.  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

"LinkResolveIgnoreLinkInfo"=dword:00000001

 

Registry File:  Fix shortcuts resolving to UNC paths.reg

 

23.

Remove Outlook Express from the Quick Launch bar and Start Menu

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]

"Stubpath"=""

 

Registry File:  Remove Outlook Express from the Quick Launch bar.reg

 

24.

Changes the name of the My Computer icon to the logged on user and the machine name

[HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}]

@="My Computer"

"InfoTip"="Displays the files and folders on your computer"

"LocalizedString"=hex(2):25,00,55,00,53,00,45,00,52,00,4e,00,41,00,4d,00,45,00,\

  25,00,20,00,6f,00,6e,00,20,00,25,00,43,00,4f,00,4d,00,50,00,55,00,54,00,45,\

  00,52,00,4e,00,41,00,4d,00,45,00,25,00,00,00

Registry File:  Change My Computer text.reg

 

25.

Remove the Internet Connection Wizard. By default, the ICW will run for all users the first time they log into a server and get a profile. Delete the "^SetupICWDesktop" value from ["HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Runonce"]

You can also modify the following registry entry:

Add or Change Key:

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Connection Wizard]

Completed=DWORD:0x1

 

Registry File:  Turn Off Internet Connection Wizzard.reg

 

26.

Diable Media Sensing.  By default Windows 2000 detects wheather or not you have a cable plugged into the NIC. 

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpip\parameters]

"DisableDHCPMediaSense"=dword:00000001

 

Registry File:  Disable Media Sensing.reg

 


 

 

Step

Description

27.

 

Disable OS/2 and POSIX subsystems. If you dont have a need for these, disabling them can free up an incremental amount of server resources. Be sure you arent using any OS2 or POSIX apps before proceeding however, since they wont run To disable these subsystems, remove the following keys under

[HKLM\System\CurrentControlSet\Control\Session Manager\Subsystems]

 \OS2

 \POSIX

 

28.

Stop extra/unnecessary processes from running in each session.  Remove associated entries from

[HKLM\Software\Microsoft\Windows\Current Version\Run]

Examples:

ICABAR.EXE (MetaFrame administrator toolbar)

NWTRAY.EXE (Netware tray application)

 

29.

Set RootDrive manually by running C:\WINNT\Application Compatibility Scripts\CHKROOT.CMD and set it to the drive letter you defined in the Design phase.

 

30.

Fine-tune the SERVER Service

  • Start Settings Control Panel Network and Dial-Up Connections Local Area Network   Properties File and Print Sharing for Microsoft Networks Maximize Throughput for Network Applications

 

31.

Modify foreground thread timeslices.

  • Start Settings Control Panel System Advanced Tab  Performance Options   Set Application response to Background services

 

32.

Set Print Spooler Directory to the disk with the most free space (preferably the second partition)

  • Start Settings Printers File Server Properties   Advanced tab  set the Spool folder to: d:\spool.  (d: being the drive with the most free space)

 

 

33.

Disable Active Desktop in Terminal Services Configuration Utility

  • Start Settings Control Panel Administrative Tools   Terminal Services Configuration Server Settings disable Active Desktop

 

34.

Install Internet Explorer 6.0 (if so desired)

  • From command line run: change user /install
  • Install IE 6.0 trough Windows Update
  • When IE is finished installing from command line run: change user /execute

 

35.

Install any remaining critical updates by running Windows Update

 

36.

Verify hotfix level by running Microsoft Hotfix checker: hfnetchk.exe. 

 

For more information please visit: Microsoft Network Security Hotfix Checker (Hfnetchk.exe) Tool Is Available (Q303215) - http://support.microsoft.com/default.aspx?scid=kb;EN-US;q303215

http://download.microsoft.com/download/win2000platform/Utility/3.3/NT45/EN-US/Nshc332.exe

Download and install any missing hotfixes.

 

37.

Remove any unwanted shortcut from:

  • C:\Documents and Settings\All Users\Start Menu\Programs
  • C:\Documents and Settings\Default User\Start Menu\Programs
  • C:\Documents and Settings\Default User.domain_name\Start Menu\Programs

 

 

Step

Description

38.

Implement any Citrix Security Bulletins

 

Citrix posts security bulletins to its knowledgebase.  To search for security bulletins please visit http://knowledgebase.citrix.com and search for security bulletins.

 

The following Security bulletins exists:

Installation Security Issue for MetaFrame XP 1.0 for Windows - CTX352147

Citrix MetaFrame Denial of Service Attack Vulnerabilities - CTX654124

 

39.

Set Windows 2000 time source

  • Start Run cmd type:  net time /setsntp:name_of_timeserver

 

40

Clean up any error messages in the Event Log

 

41.

Create the ERD Disk - Unless you run RDISK with a command line parameter, the only security info that makes it to the ERD is your initial Administrator user and password.  Running it after modifications to the Administrative users updates the SAM info.

 

Run RDISK /S after crippling Administrator.  This updates the backup security hive, which is then put on the ERD.  Since Win2K creates this as an unlocked copy, be careful to securely store your ERDs.

 
DABCC Site Map | Legal Notice | Privacy Statement | All Rights Reserved for DABCC, Inc.