|
| During the MetaFrame Access Suite Design you will be required to define the logical MetaFrame Access Suite design. This consists of detailing the MetaFrame XP farm and its subcomponents, the method that will be used to deliver applications and content to the end-users and the method that will be used to secure the MetaFrame environment. The MetaFrame Access Suite Design section consists of the following sections: MetaFrame XP Architecture q MetaFrame XP Farm Design q MetaFrame XP Zone Design q MetaFrame XP Data Collector Design q MetaFrame XP Data Store Design q MetaFrame XP Load Management Design q Applications q MetaFrame Conferencing Manager Design q MetaFrame XP Printing Design Application Delivery Architecture q MetaFrame XP Web Interface Design q MetaFrame Secure Access Manager Design q MetaFrame XP ICA Client Design Security Architecture q Secure Gateway for MetaFrame Design q MetaFrame Password Manager Design Each section will be broken down in to the following three sub-sections. This gives your customer the necessary background on the technologies you are recommending and why you recommend what you do and off course those recommendations are all based on the project vision / requirements. Background Give a brief background on the technologies you will be using and or document multiple solutions where a decision might need to be required. Requirements - Define each of the requirements for achieving a successful implementation. These requirements are derived from the project vision, organizational units, geography and as always, corporate politics. You should not be shy in requesting a meeting to define the requirements for each section. Once the requirements are documented you will need to call a meeting with the customer to have the sign-off on the requirements, based on the project vision. This will allow you to have the correct requirements to base you recommendation off of. Recommendations After all the above is accomplished and the customer is happy with the requirements you will we be required to document your recommendations based on the above requirements and your professional experience.
The following is an example of a MetaFrame Access Suite Design Overview: | 3. MetaFrame Access Suite Design The MetaFrame Access Suite Design defines the logical structure that will be used to deploy MetaFrame XP with Feature Release 3, MetaFrame Conferencing Manager 2.0, MetaFrame Secure Access Manager 2.0 and the Secure Gateway for MetaFrame. In the following design D & D Consulting will define the MetaFrame XP farm and its subcomponents, the method that will be used to deliver applications and content to the end-users and the method that will be used to secure the MetaFrame environment. The MetaFrame Access Suite Design section consists of the following sections: MetaFrame XP Architecture q MetaFrame XP Farm Design q MetaFrame XP Zone Design q MetaFrame XP Data Collector Design q MetaFrame XP Data Store Design q MetaFrame XP Load Management Design q Applications q MetaFrame Conferencing Manager Design q MetaFrame XP Printing Design Application Delivery Architecture q MetaFrame XP Web Interface Design q MetaFrame Secure Access Manager Design q MetaFrame XP ICA Client Design Security Architecture q Secure Gateway for MetaFrame Design q MetaFrame Password Manager Design |
During the MetaFrame XP Design you will be required to define the logical structure that will be used to deploy the MetaFrame XP servers. The MetaFrame XP Design section consists of the following sections: MetaFrame XP Farm Design MetaFrame XP Zone Design MetaFrame XP Data Collector Design MetaFrame XP Data Store Design MetaFrame XP Load Management Design Applications MetaFrame Conferencing Manager Design MetaFrame Printing Design The following is an example of a MetaFrame Access Suite Design Overview: | 3.1 MetaFrame XP Architecture The MetaFrame XP Design defines the logical structure that will be used to deploy the MetaFrame XP with Feature Release 3 servers. In the following design D & D Consulting will define the MetaFrame XP architecture for all of its subcomponents. D & D Consulting will also define the method that will be used to deliver MetaFrame XP applications and content to the end-users. The MetaFrame XP Architecture section of the Design Phase consists of the following sections: MetaFrame XP Farm Design MetaFrame XP Zone Design MetaFrame XP Data Collector Design MetaFrame XP Data Store Design MetaFrame XP Load Management Design Applications MetaFrame Conferencing Manager Design MetaFrame XP Printing Design |
In the MetaFrame XP Farm Design section, you are required to define the number, location and name of the MetaFrame XP server farm(s). The following is any example of a MetaFrame XP Farm Design: | 3. 1. 1 MetaFrame XP Farm Design Background Citrix MetaFrame XP farms provide you with a flexible and robust way of deploying applications to any device. A MetaFrame XP server farm is a group of MetaFrame XP servers managed as a single management console and share some form of physical connection. In addition, the servers in the server farm share a single IMA-based data store. A single farm can be for even the largest deployments. However, several factors concerning hardware, database performance, and network congestion can decrease performance of the farm. A way to increase performance is to create separate, multiple farms for the enterprise. The following are advantages of both single and multiple farms. Single Farm Pooled licenses All MetaFrame XP licenses are pooled together and can be used by all servers in the farm. Simplified management and administration Citrix administrators only need to log in to one farm for all maintenance and administrative tasks. Multiple Farms Reduced IMA Traffic A single farm with remote zone data collectors must communicate frequently to keep published application and user connection information synchronized across the farm. No firewall changes - When the farm spans through a firewall, TCP ports 2512 and 2513 must be opened on the firewall for IMA communication. The implementation of a separate farm per site eliminates the need to open ports 2512 and 2513 on the firewall and any ODBC ports used for data store communication. No Internet traffic - When the farm spans an Internet WAN connection, IMA traffic and ODBC connection information can potentially be intercepted. This data does not travel across a WAN connection when a farm is isolated to one site. No data store replication Citrix recommends that the data store be replicated to remote sites when using a single farm in a WAN environment. The use of multiple farms eliminates the need for data store replication, because each remote site maintains its own data store. Requirements DABCC.COM has defined centralized license pooling across all sites in the organization with a single point of management throughout the company while keeping with the requirement of reduced bandwidth consumption. DABCC.COM has defined a central administration tool to manage all published resources as a requirement. Recommendations In order to achieve central licensing pooling across all sites in the DABCC.COM organization while delivering one management tool, D& D Consulting recommends DABCC.COM implement a single MetaFrame XP farm. D & D Consulting recommends the MetaFrame XP farm name of, DABCC Application Farm. |
In the MetaFrame XP Data Collector Design section, you will be required to define the amount, location and name of MetaFrame XP zones. MetaFrame XP Zone layout is crucial to the end-user perception of performance. The following is an example of a MetaFrame XP Zone Design: | 3. 1. 2 MetaFrame XP Zone Design Background The layout and distribution of zones in MetaFrame XP is crucial to the end-user perception of performance. In an IMA-based MetaFrame XP server farm, a zone is a grouping of MetaFrame XP servers that you configure. By default, all servers in a farm that are on the same network subnet belong to the same zone. Zones are designed to enhance the performance of a MetaFrame XP server farm by allowing geographically related servers to be grouped together, whether they are connected to the same network subnet or not. If all the servers in a farm are in one location, you can configure the farm with a single zone without causing slower performance or making the farm more difficult to manage. If you manage an enterprise server farm with servers in different geographic regions, you can place servers into zones based on the location of the servers. This can improve performance and make management of the farm more efficient. In a WAN environment, consider the cost of placing separate zones at each WAN point. For example, if DABCC.COM implements three separate zones, each time a dynamic event such as a user logon occurs, one initiating zones data collector sends that event to the other two data collectors. Therefore, the same event goes across the WAN link two times. If, the environment is configured as a single zone with a central zone data collector, each time a dynamic event occurs, the event traverses the WAN link only once to the central zone data collector. Requirements The requirement is to provide a robust, highly optimized zone structure capable of supporting the IMA traffic with the lowest cost in server-to-server traffic achieving optimal end-user performance. The MetaFrame XP Zone Design must be capable of supporting the current and future needs of DABCC.COM. Recommendation It is recommended for DABCC.COM to implement a single zone. If a remote site grows to more than two MetaFrame XP servers, the cost for server-to-server replication is less expensive than having every MetaFrame XP server in the remote site communicate with a single data collector located in the Des Moines data center. |
In the MetaFrame XP Data Collector Design section, you will need to document the configuration and location of the MetaFrame XP data collectors. The following is an example of a MetaFrame XP Data Collector Design: |
3. 1. 3 MetaFrame XP Data Collector Design Background Each zone in a server farm contains one MetaFrame XP server designated as the zone data collector for the zone. A zones data collector receives information from each MetaFrame XP server in the zone. Data collectors store information about the servers and published applications in the server farm. The data collector knows the address of each MetaFrame XP server and the applications that are available on each MetaFrame XP server in the zone. Data collectors in IMA-based server farms are similar in function to the Windows Master Browsers in Microsoft Windows NT 4.0 networks. However, data collectors use TCP/IP for server-to-server communication. Windows use RPC for server-to-server communication. The data collector in each zone can support up to 70 resolutions per second. Member servers in each zone frequently update their session and load information to their zones data collector. The data collector is then responsible for relaying new information to all of the other data collectors in the farm. This operation consumes N times the amount of bandwidth, where N represents the number of zones. Requirements DABCC.COM has defined high availability as a major design goal. DABCC.COM has also defined the need for the design the plan for future growth. Recommendations Based on the requirements and recommendation for the MetaFrame XP Zone design, D& D Consulting recommends the use of a dedicated data collector (control server). The following roles will be housed on the control server: Data Collector, Management Console for MetaFrame XP, Resource Manager Primary Metric Server, central Auto-Client Update database and print driver replication source server. |
The MetaFrame XP Data Store Design section not only documents what data store your customer will use but how they will account for any failures through replication, backup, etc As always, you will give background information on the data store types (Microsoft SQL, Oracle, IBM DB2, MSDE or Access), location, and the access methods (direct or indirect). The following is an example of a MetaFrame XP Data Store Design: | 3. 1. 4 MetaFrame XP Data Store Design Background Before installing MetaFrame XP, you must decide which database to use for the data store. Microsoft Access The Microsoft Access is a lightweight database that is included with Windows server operating systems. It is most appropriate for smaller server farms. However, mid-sized server farms of more than 50 servers often perform just as well with a Microsoft Access database as with a SQL Server. When using Microsoft Access, the database is stored on the first MetaFrame XP server in the farm, and is created as part of the MetaFrame XP installation process. Microsoft Access is best used for centralized farms and supports only indirect mode for all servers other than the host. It therefore has slower performance than a direct mode data store on large farms. Database replication is not supported with Microsoft Access. Microsoft SQL Desktop Edition (MSDE) The Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) is a data engine built and based on core SQL Server technology. With support for single- and dual-processor devices, MSDE 2000 is a reliable storage engine and query processor for desktop extensions of enterprise applications. The common technology base shared between SQL Server and MSDE 2000 enables developers to build applications that can scale seamlessly from portable computers to multiprocessor clusters. Designed to run in the background, supporting transactional desktop applications, MSDE 2000 does not have its own user interface (UI) or tools. Users interact with MSDE 2000 through the application in which it is embedded. Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) offers the following features described below. Multi-Instance Support - MSDE 2000 supports up to 16 database server instances on a single computer. MSDE 2000 Utilities - MSDE 2000 includes several command prompt utilities that can be used to administer instances of MSDE 2000. The most important of these is Osql.exe, which allows you to interactively enter Transact-SQL statements in a command prompt environment. You can use the Transact-SQL administration statements, such as BACKUP and RESTORE, to administer an instance of MSDE 2000. Other utilities included with MSDE 2000 are Bcp.exe, which allows you to bulk copy large amounts of data into or out of MSDE 2000 databases, and Dtsrun.exe which executes Data Transformation Services packages. The remaining utilities included with MSDE 2000 are Cnfgsvr.exe, Dcomscm.exe, Sqlmangr.exe, Sqladhlp.exe, and Svrnetcn.exe. Replication - MSDE 2000 fully supports both merge and snapshot replication both as a publisher and as a subscriber, allowing you to keep copies of the same data on multiple sites, sometimes covering hundreds of sites. MSDE 2000 also supports other forms of replication, but only in a limited capacity. MSDE 2000 can participate in transactional replication in a subscriber capacity only. Performance - MSDE 2000 is a local data engine that can be shared. It has a managed concurrency workload governor that limits up to five concurrent batch workloads for optimal performance. Commands and log entries are available to monitor instances where more than five workloads are executed concurrently, a situation that can cause slower performance even on well-tuned systems. As more batch workloads are submitted beyond the five-workload limit, the concurrency governor continues to slow down the system. These workloads are not dropped or lost; they are still processed, but in an increasingly degraded performance mode. If your solution must support more than five concurrent workloads, it is highly recommended that you migrate to SQL Server 2000 or SQL Server 2000 Enterprise Edition for optimal performance at this higher level of scalability. Maximum Database Size - MSDE 2000 supports up to 2 gigabytes (GB) per database. This limitation is per database, not per server. A single computer can support multiple MSDE 2000 instances, each with databases of up to 2 GB in capacity. Data Transformation Services - MSDE 2000 is capable of running Data Transformation Services (DTS) packages. However, it cannot design DTS packages, because it is not equipped with a DTS Designer. Remote Administration - It is possible to administer MSDE 2000 both locally and remotely. However, MSDE 2000 cannot be remotely administered in a multi-server environment where transactions occur across servers. Microsoft SQL Server Microsoft SQL Server is a true client/server database that offers robust and scalable support for multiple-server data access. It is suited for use in farms of any size. When using Microsoft SQL Server, the database is on a dedicated server running Microsoft SQL that must be set up prior to creating the server farm. Microsoft SQL servers require significant expertise to install and maintain. If you do not have expertise with these products, using them in a production environment is not recommended. It is important to note that other factors in addition to the number of servers affect the data store and overall server farm performance. Other factors that affect performance are the number and type of published applications, the maximum number and the average number of concurrent client connections and the hardware configuration of MetaFrame XP servers. After you decide which database to use for the data store, you need to decide whether the MetaFrame XP servers will access it by direct connection or indirectly through another MetaFrame XP server. Direct Access To make a direct connection to the data store, a MetaFrame XP server must have the appropriate ODBC drivers installed and configured properly. The server then connects directly to the server on which the database is running (host server). Indirect Access For indirect access, a MetaFrame XP server connects to an intermediary MetaFrame XP server. The intermediary server connects to the data store directly. Using indirect connectivity with an SQL database eliminates the need to install and configure the ODBC drivers on every MetaFrame XP server. If you are using a SQL database for the data store, you can use a combination of direct and indirect access methods for the servers in the farm. Indirect access is not recommended for mission-critical server farms because the intermediary server is a single point of failure. By default, indirect access uses TCP port 2512 for communication between the MetaFrame XP servers. If the MetaFrame XP servers are in different subnets, ensure this port is not blocked by any firewalls. If this port number is not convenient, it can be changed. Replicated Database Having a single data store is recommended where appropriate but in some situations, a replicated data store can improve farm performance. Below are some of the concerns and situations that arise from using replicated database technology. High latency links without the use of replicated databases can create situations where the data store is locked for an extended period when performing maintenance from remote sites. This means that the IMA service can time out (but starts after an extended period of time) and some normal operations can fail when performed from the remote site. In a high-latency situation, data store writes take longer to complete and for a period of time, block all additional writes from local or remote sites. In a high-latency situation, data store reads will probably not adversely affect local connections, but the remote site will experience slower performance. Use of replicated databases to speed performance can be justified in some scenarios. The MetaFrame XP farm servers perform many more reads from the data store than writes to the data store. Most reads occur during startup, when each server populates its local host cache. In a LAN environment, using replicated databases can speed the startup time of the IMA service and improve the responsiveness of the servers in large farms. In a WAN environment, the configuration of the data store is important. Because MetaFrame XP is read-intensive, place replicas of the data store at sites where a considerable number of servers reside. This practice minimizes reads across the WAN link. Limit the use of replicated databases to situations where the remote site has enough MetaFrame XP servers to justify the cost of placing a replicated copy of the database at the site. Database replication consumes bandwidth. The database server software configuration - not MetaFrame XP - controls the frequency of database updates. Distributed Databases MetaFrame XP supports distributed databases. Distributed databases are useful when the data store begins to bottleneck due to too many read requests. To distribute the load of reads, a distributed database can be used. Microsoft SQL Server uses replication to create the distributed database environment. MetaFrame XP needs to be assured of data coherency across multiple databases. Because of this requirement, a two-phase commit algorithm must be used for writes to the database. Requirements DABCC.COM would like to keep with the goal of achieving a highly availability solution for the MetaFrame XP data store, designed with growth in mind. Recommendation It is recommended for DABCC.COM to implement Microsoft SQL 2000 with Service Pack 2 database server as the Independent Management Architecture (IMA) data store. This will allow DABCC.COM to achieve the vision of the project while providing an enterprise class database server to accommodate for growth, replication, and high availability. DABCC.COM should implement Microsoft SQL 2000 with Service Pack 2 server in a distributed database model. This will allow DABCC.COM the ability to prevent a single point of failure along with distributing the load of reads and writes on the data store. Additionally, DABCC.COM should implement a replicated database to a zone if the number of Citrix MetaFrame XP servers grows to greater than five in a given zone and or end-user performance perception drops. This will allow DABCC.COM to deliver the best performance to end-users along with reducing IMA traffic over WAN links. |
In the MetaFrame XP Load Management Design section, you will be required to define how MetaFrame XP Load Evaluators will be configured. Define the Load Evaluators you will be using, any rules, their settings and the benefits they bring. The following is an example of a MetaFrame XP Load Management Design: | 3. 1. 5 MetaFrame XP Load Management Design Background Load Manager is installed automatically with MetaFrame XPa and MetaFrame XPe. Load Manager uses a system of load evaluators to calculate server loads. Data collectors compare server loads to determine the server to which the ICA Client will connect. A load evaluator consists of one or more rules and can be applied to a server or published application. Each rule is a component of how your total load configuration works. The threshold of a rule reflects a specific server parameter. Load Manager includes two Citrix-provided load evaluators: Default - This load evaluator is attached to every server by default. It contains one rule, Server User Load that reports a full load when 100 users log on to the attached server. Advanced - This load evaluator contains the CPU Utilization, Memory Usage, and Page Swaps rules. Load evaluators can vary on each server and each load evaluator can contain any combination of rule types and values. This gives you added flexibility when calculating loads for each server in the server farm. The rules included in Load Manager are: Application User Load - Limits the number of users allowed to connect to a selected published application. Context Switches - Defines a range of context switch frequency for a selected server. CPU Utilization - Defines a range of processor utilization for a selected server. Disk Data I/O - Defines a range of data throughput for a selected server. Disk Operations - Defines a range of disk operation frequency for a selected server. IP Range - Defines a range of allowed or denied Citrix ICA Client IP addresses for a published application. This rule must be used in conjunction with another. License Threshold - Sets the upper limit for assigned or pooled connection licenses in use on a server. Memory Usage -Defines a range of memory usage by a server. Page Fault - Defines a range of page fault frequency for a selected server. Page Swap - Defines a range of page swap frequency for a selected server. Scheduling - Schedules the availability of selected servers or published applications. Server User Load - Limits the number of users allowed to connect to a selected server. Requirements DABCC.COM has defined the need for published resources to be available at all times. Recommendations DABCC.COM would like MetaFrame XP resources to be available to end-users at all times, thus requiring load management to achieve an acceptable level of up-time. Based of the variety of applications to be published on MetaFrame XP servers, D&D Consulting recommends DABCC.COM implement the Advanced Load Management load evaluator for all applications in the MetaFrame XP farm. This will allow the end-users to achieve the required up-time while allowing for the best perception of performance. |
In this section, you will be required to define the applications and or content that will be deployed via MetaFrame XP severs. You will also be required to define how they will be deployed, how they will be installed (Image, Manual or Installation Manager (IM)), the MetaFrame XP server(s) to be installed to and who will have access to them. I recommend classifying applications in to the following three categories. Image I classify image applications as applications that are going to be installed on all servers for the lifespan of the farm and or image cycle. i.e., WinZip, Adobe Acrobat Reader 6.0. Be very careful when deciding upon image applications you will need to remember that this application will be embedded in to the image, hence the possibility for future conflicts. Manual I classify manual application as applications that will be manually installed and uninstalled on the selected server(s). I recommend utilizing Installation Manager for a constant, scheduled, tested install but some applications just does not like to be packaged for whatever reason. This is when you install them manually. Installation Manager I classify IM applications as applications that will be packaged, installed and uninstalled on the selected server(s) using Installation Manager. Note: For more information on how to use Installation Manager please visit the Installation Manager Administrators Guide You will be required to document which applications are installed on each MetaFrame XP server and who will have access to them. The following is an example table of published applications information: | 3. 1. 6 Applications Publishing Applications and or content makes them easily available to users. With application publishing, you can: Increase your control over application deployment Shield users from the mechanics of the Windows server environment Push application icons and shortcuts to user desktops through Program Neighborhood, Program Neighborhood Agent, Web Interface and or MetaFrame Secure Access Manager 2.0. Use the Management Console to publish applications. With the Management Console, you can publish applications on any server in the MetaFrame XP server farm, including servers that are temporarily out of operation. DABCC.COM requires the installation and publication of the following applications and content to the proposed MetaFrame XP Farm: | Name: | Installation Executable: | Type: | Servers: | Users: | | Adobe Acrobat | \\dabcc.com\dfsroot\apps\acrobat\setup.exe | IMAGE | All | | | Adobe Acrobat | C:\program files\adobe\reader.exe | Published Shortcut | All | CTX Users | | Exchange Admin | Loaded from Exchange 2000 CDROM | Manual | DB2K3CX1 | | | Exchange Admin | \\dabcc.com\dfsroot\apps\tools\ exchadmin.cmd | Published Shortcut | DB2K3CX1 | Exchange Admins | | Symantec Corporate Edition Antivirus 8.1 | \\dabcc.com\dfsroot\apps\smantecav\setup.exe | Manual | All | | | Microsoft Office 2002 | \\dabcc.com\dfsroot\apps\office2k3\setup.exe TRANSFORMS=\\dabcc.com\dfsroot\apps\ officexp\trmsrvdabcc.mst | Manual | All | | | Excel 2002 | C:\Program Files\Microsoft Office\Office11\ Excel.exe | Published EXE | All | MS Office Users |
Word 2002 | C:\Program Files\Microsoft Office\Office11\ Winword.exe | Published EXE | All | MS Office Users | | Outlook 2002 | C:\Program Files\Microsoft Office\Office11\ outlook.exe | Published EXE | All | MS Outlook Users | | PowerPoint 2002 | C:\Program Files\Microsoft Office\Office11\ powerpnt.exe | Published EXE | All | MS Office Users | | Access 2002 | C:\Program Files\Microsoft Office\Office11\ msaccess.exe | Published EXE | All | MS Office Users | | WinZip 8.0 | \\dabcc.com\dfsroot\apps\winzip8\setup.exe | IMAGE | All | | | WinZip 8.0 | C:\Program Files\Winzip\winzip32.exe | Published EXE | All | CTX Users | | http://www.dabcc.com | DABCC.COM Web Site | Published Content | CTXUsers | N/A | | Note: The above example is in no may a reflection upon an endorsement of any particular application or combination of applications. You will always want to verify application compatibility and this is where the art of installation becomes a challenge in any MetaFrame Access Suite deployment.
During the MetaFrame Conferencing Manager Design you will be required to define 1) the placement of the MetaFrame Conferencing Manager components 2) if you will be using the Microsoft Exchange Server integration capabilities. You do this by looking at the applications needed to be deployed, the maximum number of end-users required to participate in a conference and if you will be integrating with Microsoft Exchange Server. For example, if will be requiring a maximum of thirty end-users in a conference then you will want to verify the MetaFrame XP server will be able to handle the additional load. You will also be required to deploy the Conference Room component to the MetaFrame XP servers with the desired published applications. If you will be integrating in with Microsoft Exchange server then you will be required to define Exchange servers you will be connecting to. The following is an example of a MetaFrame Conferencing Manager Design: | 3. 1. 7 MetaFrame Conferencing Manager Design Background MetaFrame Conferencing Manager is a productivity tool that adds collaborative capabilities to the MetaFrame XP Server environment. MetaFrame Conferencing Manager allows end-user to share applications, documents, and conduct online training from anywhere on any device. MetaFrame Conferencing Manager allows you to hold a real-time conference any time the need arises, bridge geographic distances that would otherwise prevent end-users from working together, and save time, money and the inconvenience of travel. MetaFrame Conferencing Manager offers the following benefits. Ability to hold conferences across your network. Access to any type of MetaFrame XP published applications and or content. Access to any type of information. Open and share any file type supported by your MetaFrame XP published applications. Seamless integration with Microsoft Outlook and Exchange Server. Use the Microsoft Outlook calendar to check attendee availability, schedule conferences by email, and set conference reminders. Per-user keyboard and mouse control. Control what attendees can do in a conference. Choose between view-only access and full keyboard and mouse control. Launch a Web browser with the click of a button. Launch a Whiteboard with the click of a button. Send a private message any time to anyone in the conference. Choose from built-in themes to customize the appearance of MetaFrame Conferencing Manager. MetaFrame Conferencing Manager 2.0 consists of the following components. Conference Organizer Service The Conference Organizer is the component that keeps track of the location of the meetings and load information. It runs as a Windows Service and can be run on any server within a MetaFrame XP server farm or on a server within the same domain as the MetaFrame Conferencing Manager User interface and the Conference Room component. Citrixs best practice suggests that the Conference Organizer components be installed on one of the domain servers or any one of the Conference Room component servers. Only one instance of the Conference Organizer service per server farm is required and utilized. 
MetaFrame Conferencing Manager User Interface The MetaFrame Conferencing Manager User Interface is the component that supplies the end user with all the tools necessary to create and participate in a conference. It is the component the user launches in to. During installation the User Interface is installed and automatically published in the Management Console for MetaFrame XP called Citrix MetaFrame Conferencing Manager . Citrixs best practices recommend installing the User Interface on the MetaFrame XP servers running your other productivity applications. If you will be deploying a high number of concurrent connections, you can gain performance improvements by installing and load balancing the User Interface on multiple MetaFrame XP servers. 
Conference Room The Conference Room is the component that provides the actual shadowing session within which users collaborate during a conference. Like the User Interface, the Conference Room is a published application that runs on MetaFrame XP servers. Unlike the User Interface the Conference Room runs as a hidden MetaFrame XP published application. As a result, it does not visibly appear in a users list of available applications. Instead, users automatically connect to this component from the MetaFrame Conferencing Manager User interface when a conference is started. When installing the Conference Room component the installation program also installs the Conference Room Manager service. It keeps track of all servers meeting information (i.e. Attendees, keyboard/mouse control). The Conference Room service communicates with the Conference Organizer service. When a new conference is requested via the client component, Conference Organizer determines which Conference Room server should be used. This is determined per the Load Manager parameters defined for that MetaFrame XP farm. Citrixs best practices recommend installing the Conference Room component on dedicated MetaFrame XP servers. If you will be deploying a high number of concurrent connections, you can gain performance improvements by installing and load balancing Conference Room component on multiple MetaFrame XP servers. 
Microsoft Exchange Server Integration You can implement MetaFrame Conferencing Manager by itself or integrate it with Microsoft Exchange Server 5.5 and above and Microsoft Outlook 2000 and XP. If you integrate MetaFrame Conferencing Manager by itself, users create on the fly conferences. If you integrate MetaFrame Conferencing Manager with Microsoft Exchange Server and Outlook, users can create MetaFrame conference meeting requests through a custom Outlook calendaring appointment form, as shown below. 
Requirements DABCC.COM would like to achieve the vision requirement of improving productivity through a document conferencing mechanism. DABCC.COM would like to have the ability to access all published MetaFrame XP resources in a conference. DABCC.COM would like to make the conference available to network users through all application deployment mechanisms. DABCC.COM would like to make a conference available to a maximum of 27 end-users, the total number of employees, at a time. Recommendations D & D Consulting recommends the deployment of Citrix MetaFrame Conferencing Manager 2.0 to achieve a low cost document conferencing mechanism which improves productivity. D & D Consulting recommends the installation of the Citrix MetaFrame Conferencing Manager User Interface on all MetaFrame XP servers. In order to achieve the requirement of making a conference available to a maximum of 27 end-users per conference, D & D Consulting recommends the installation of the MetaFrame Conference Manager Room component of a dedicated MetaFrame XP server that has all the proposed MetaFrame XP applications installed. In order to achieve the requirement of making a conference available via all deployment mechanisms D&D Consulting recommends creating a MetaFrame Secure Access Manager page for user conferencing. The Conference Manager User Interface published application will also be available via the Web Interface and the Launch button on the menu bar of a MetaFrame Secure Access Manager Access Center. |
In the MetaFrame XP Printing Design section, you will be required to define the MetaFrame XP printing design. In order to keep with the goals of high user perception you will want to define clear objectives for both the project and for the customer. These objectives consist of the following: Gathering a list of printers that will be supported on go-live day this is one of the most important steps in any MetaFrame Access Suite deployment and in most cases the one that is most over looked. You will be required to obtain to require a list of printers to be supported from the customer. You will not be able to complete the Printer Architecture section until you receive it. You will also need to set the expectation that the supplied printers will be the printers supported and any additional printers might require additional configuring. Define how auto-created printers will be utilized you will need to define if you will be auto creating printers or not and if so then how. You will also need to include what local printers will be auto-created, i.e., local connected printers only. Define how network print servers will be utilized you will need to define any network print servers that will be imported and their attached print devices. You will also need to define what users / groups are assigned to what printers. Define how the Universal Printer Driver will be utilized you will need to define how the Universal Printer Driver will be configured in the MetaFrame farm. Define policies and procedures for adding additional supported printers you will define the end-user procedures for reporting additional servers. You will also need to define the administration procedures for adding additional printers. | 3. 1. 8 MetaFrame XP Printing Design Background Users can print documents easily when they run applications on MetaFrame XP servers. For most users, printing when they use applications in ICA sessions is no different from printing from applications that run on their own computers. When users run applications that are published on MetaFrame XP servers, they have the ability to print to the following types of print devices. Printers that are connected to ports on the users client devices on Windows, WinCE, DOS, and Mac OS platforms. Virtual printers created for tasks such as printing from a PostScript driver to a file on a Windows client device Shared printers that are connected to print servers on a Windows network Printers that are connected directly to MetaFrame XP servers The printers that ICA Clients use can be categorized by connection types. You can set up three general types of printer connections in a MetaFrame XP server farm: client printer, network printers, and local printers. Client Printers The definition of a client printer depends on the ICA Client platform. On DOS-based and WinCE client devices, a client printer is physically connected by a cable to a port on the client device. A PC or Postscript printer connected to a serial port on a Mac OS system is also considered a client printer. On 32-bit Windows platforms (Windows 9x, Windows NT, and Windows 2000), any printer that is set up in Windows (these printers appear in the Printers folder on the client device) is a client printer. Locally connected printers, printers that are connected on a network, and virtual printers are all client printers. Some virtual printers, such as a fax/modem device that is set up in the Printers folder, might not be available as a client printer in ICA sessions. MetaFrame XP communicates with local (LPT) printers through the ICA protocol. You can limit the amount of ICA protocol bandwidth it can use on a user and or group basis. Local Printers Printers that are connected directly to MetaFrame XP servers are local printers within a particular server farm. This definition includes a printer that is connected to the MetaFrame XP server that hosts a users ICA session, as well as printers that are connected to other MetaFrame XP servers in the same server farm. Network Printers Printers that are connected to print servers and shared on a Windows network are referred to as network printers. In a Windows network environments, you can configure MetaFrame XP to import network printers and assign the attached printers on a user and or group basis. MetaFrame XP communicates with network printers directly via a TCP/IP connection. Universal Printer Driver The MetaFrame XP Universal Printer Driver eliminates the need for many native printer drivers to be installed on every MetaFrame XP server in a server farm. The Universal Printer Driver feature comprises the following two components: The MetaFrame XP Universal Driver consists of a standard PCL5c or PCL4 printer driver that is used on all MetaFrame XP servers to provide both color and monochrome printing at 600 dots per inch (dpi). Monochrome printing at 300 dpi is supported on some earlier releases of ICA Clients. A PCL5c or PCL4 interpreter and rendering agent that is integrated into the ICA Win32 Client. Version 7.0 or later of the ICA Win32 Client is required. The universal printing feature works as follows: A single generic printer driver is used on the server to prepare print jobs. This can be the universal driver for the PostScript (PS) language or the PCL5c or PCL4 variations of the Printer Control Language. The generic driver creates a print data stream, spools the print job, and redirects the job to the ICA client. The client printer renders the print data stream again using a PCL4, PCL5c, or a PS interpreter. The client devices local printer drivers are used to create print images that can be directed to any printer connected and configured on the client device. Print jobs are not restricted to PCL or PostScript compatible printers. With generic printer drivers you do not need to install and duplicate a potentially large set of native printer drivers throughout the server farm. You may need to deploy a few specific printer drivers for applications that require options not provided by a universal driver. You can view the properties of a client printer created with a Universal Printer Driver to see the options that are available. A tag in the format [UPD:PCL5c] is appended to the name of a printer created using a universal printer driver. USB Support in MetaFrame XP Citrix support for peripherals attached to a client device is a fundamental functionality leveraged by the Citrix Server Based Computing (SBC) model. Since the introduction of MetaFrame XP Server products many years ago, support for many client-side peripherals exist. Hence, when either using local or remotely published applications, end-users can seamlessly utilize their peripheral device resources. Client-side peripherals are supported in one of two basic methods: Device Level Redirection This method involves redirection (also called mapping) of the high-level device as recognized by the operating system. Such examples include keyboards, mice, printers, etc. Such devices are not seen by the operating system by the hardware ports to which they connect, but rather by the device itself. For example, whether a keyboard has a USB or Serial port connector, or a printer has a Parallel, Serial, or USB connector, they are simply seen by the operating system as keyboards and printers. In the latter case, say for a parallel printer, the printer mapping functionality in MetaFrame is used; LPT port redirection, which is described below, does not play a role. Port Level Redirection This method involves redirection of the low-level port itself. This includes COM, LPT, and USB ports. These ports are generically identified as ports by the operating system and traffic to them is simply redirected between server and client. Today MetaFrame supports the generic redirection of only COM and LPT ports on the client device. Now that MetaFrame peripheral support has been explained, it can been realized that although generic USB port-level redirection is not supported by MetaFrame today, many USB peripheral devices are supported by the Device Level Redirection method described above. USB Port Level Redirection At this time Citrix does not support USB devices that require low-level port redirection. Due to the large number of USB-based devices that are available and the somewhat proprietary nature of each manufacturers implementation of USB, it has not been possible to date to make a generic USB port redirection solution available as a standard part of the MetaFrame product. Citrix is, however, investigating the possibilities for creating USB solutions for particular devices at the high-level device redirection as previously described. Please contact Citrix Systems for the possibility of creating customized solutions for such products, or for information on future support for them within the standard product. USB Drivers and ICA Clients Note that all of the USB peripheral support above assumes the existence of a proper USB device driver for the operating system on the client device, and of course for a corresponding Citrix ICA Client for that same operating system that supports the mapping functionality at hand. For example, not all Citrix ICA clients support the use of smart cards whether or not a device driver from the manufacturer exists. USB Printers on Macintosh Computers The Citrix ICA Client for Mac OS X v6.30 provides general support for printers attached via Macintosh USB ports. For the Citrix ICA Client for Macintosh v6.20 and earlier, support for USB printing is limited. Some manufacturers supply printer drivers that allow a print file to be sent directly to specific USB printers (e.g. Epson Stylus Color 740), and these function correctly with the 6.20 ICA Client. Printing to PC printers through a USB port (using a USB to parallel cable) is also supported using the PowerPrint product from Strydent Software (www.strydent.com). Another alternative is to print via a network print server, instead of using the Client Printer Mapping functionality in the ICA Client. USB Printers on Windows Based Terminals USB support for Windows Based Terminal (WBT) client devices is vendor dependent. Requirements DABCC.COM has defined reliable printing from any application to both local and remote devices as a design goal. Keeping to that goal, DABCC.COM requires the ability to print from local print devices and network print servers. DABCC.COM required the following printers to be supported on go live day and understand that any additional printers might require additional configuration. DABCC.COM requires the creation of policies and procedures to add printers to the supported list. Recommendations It is recommended for DABCC.COM to configure the MetaFrame XP printing design as following: Client Printers It is recommended for DABCC.COM to enable auto-creation of client LPT printers only. All other printers will be assigned as network printers. It is recommended to assign auto-creation of printers of a user-by-user basis. Local Printers DABCC.COM will not be utilizing local MetaFrame printers. Network Printers It is recommended for DABCC.COM to import print servers network print servers and assign then on a user-by-user basis. This gives DABCC.COM the ability the assign network printer to user and cut down at bandwidth. Universal Printer Driver It is recommended for DABCC.COM to configure the Citrix Universal Printer Driver to be used only when a native print driver is unavailable. Procedures for adding additional printers DABCC.COM administration staff will Project Compatibility to manage failed auto-created printers. End-users will be trained on how to notify administrators about printing errors and that the first time they sit at a remote site with an unknown printer then they might need to wait 24 hours for the printer to be supported on the network. |
Within the Application Delivery Architecture you will be required to define the MetaFrame Access Suite technologies that will be used to deliver published applications and content to end-users. The Application Delivery Architecture section of the Design Phase consists of the following sections: MetaFrame XP Web Interface Design MetaFrame Secure Access Manager Design MetaFrame XP ICA Clients Design The following is an example of an Application Delivery Architecture Design: | 3. 2. Application Delivery The MetaFrame XP Design defines the logical structure that will be used to deploy MetaFrame XP with Feature Release 3. In the following design D & D Consulting will define the MetaFrame XP architecture for all of its subcomponents. D & D Consulting will also define the method that will be used to deliver MetaFrame XP applications and content to the end-users and the method that will be used to secure the MetaFrame environment. The Application Delivery section of the Design Phase consists of the following sections: MetaFrame XP Web Interface Design MetaFrame Secure Access Manager Design MetaFrame XP ICA Clients Design |
During the MetaFrame XP Web Interface Design section of the Application Delivery Architecture you will be required to define how / if the end-users will utilize the Web Interface to access the MetaFrame XP published resources. You will also want to define if any custom development will be done to the Web Interface page, i.e., the additional of a connection speed drop-down box to address variable bandwidth usage. The following is an example of a MetaFrame XP Web Interface Design: | 3. 2. 1 MetaFrame XP Web Interface Design Background Web Interface 2.1 brings a powerful user interface to create a secure application deployment process. This interface uses Java object technology executed on a Web server to dynamically create an HTML-based presentation of the Citrix MetaFrame XP server farm for each user. Included in each users presentation are all of the applications published in the Citrix MetaFrame XP server farm for that user. Web Interface 2.1 is both a developers tool and a Web masters application. Web Interface includes an API and a fully functional, feature rich, default site. The API lets you create customized Web server scripts from scratch to meet the requirements of your environment, while the site allows an administrator to use an out of the box solution to be up and running in hours. With Web Interface, you are able to deliver a seamless interface between the user and their applications with little or no configuration on the client side. The following are just two of the advanced features leveraged by using Web Interface: Centralized Management of remote ICA clients - Web Interface 2.1 allows you to centrally manage ICA client configurations through a centrally located Web administration page. This allows the administration to configure such item as, MetaFrame XP farm attributes, firewall transversals, ICA client deployments, Java client configurations and much more. ICA Client Detection and Installation - When a client device user visits a Web Interface Web site, the Web-based ICA Client installation code detects the device and Web browser types and prompts the user to install an appropriate ICA Client. In the case of 16- and 32-bit Windows devices, Web-based ICA Client installation can also detect the presence or absence of an installed ICA Client and prompt the user if necessary. Requirements DABCC.COM would like to simplify and streamline the process of deploying applications and content to the end-users from anywhere, any device and any time. The deployment design is required to be the most cost effective secure design possible while keeping with Citrix MetaFrame XP best practices. Recommendations D & D Consulting recommends for DABCC.COM to implement the Web Interface 2.1. This will allow the DABCC.COM end-users the ability to integrate and publish interactive applications into any standard Web browser, Internet Explorer, Netscape, Mozilla. This will also allow for rapid ICA Client deployment no matter the client operating system. DABCC.COM is recommended to implement multiple Internet Information Servers (IIS) running Web Interface 2.1. This will allow DABCC.COM to achieve high availability for client application authentication. |
During the MetaFrame Secure Access Design section of the Application Delivery Architecture you will be required to define the Access Center the end-users will utilize to access their corporate resources through. The following is an example of a basic MetaFrame Secure Access Manager Design: | 3. 2. 2 MetaFrame Secure Access Manager Design Background MetaFrame Secure Access Manger 2.0 (MSAM) is access infrastructure which offers corporations a way to provide secure role based access to corporate information and services in a Business to Employee (B2E), Business to Business (B2B), Business to Consumer (B2C), and even an Enterprise Information Portal (EIP) format without the need of developers or a VPN infrastructure. A single MetaFrame Secure Access Manager infrastructure can support secure access to single or multiple environments enabling organizations to deliver corporate applications and content to their users as a B2E as well as delivering services to partners (B2B) and customers (B2C). MetaFrame Secure Access Manager offers users a single unified interface from which all of their job specific applications, data, corporate information and services can be securely accessed from any Web browser. All of this is accomplished without writing a single line of code or a VPN! MetaFrame Secure Access Manager consists of three optional infrastructure components, the Content Delivery Service (CDS), the Secure Gateway (SG) and the MetaFrame Index Server. The customers needs will dictate which components are utilized. The CDS, SG and MetaFrame Index server components are all bundled together under the name MetaFrame Secure Access Manager. The CDS allows rapid content integration and the configuration of access roles to existing applications, data and corporate content. The integrated MetaFrame Index server allows both internal data like office documents on file servers, existing intranet content as well as external Web site to be indexed and queried from a page within an *Access Center (*Access Center is a Citrix term for Portal). The Secure Gateway component is an end-to-end SSL VPN solution providing conventional VPN like security to the ICA, HTTP and HTTPS protocols without the need of a VPN infrastructure. This allows users to securely access their corporate services without a preconfigured VPN client from a Web browser over a LAN, WAN, dial-up and wireless connection. Most corporations deliver services in a distributed computing environment where users control local and network applications and data from their workstation. Workstations typically are equipped with an office productivity suite as well as general purpose applications like Adobe Acrobat Reader and WinZip. Users create and maintain data with local, network and Web applications as well as save their data locally as well as on network drives. As the amount of corporate information and service grow this type of environment puts users in a position to spend a fair amount of time looking for their stuff on their local workstation and corporate network as well. We all know that finding specific information we need on a corporate network can be a challenge. The following image shows a typical LAN environment supporting standard IT services and how a users environment is spread throughout the LAN. 
Lets say that the user in the above example works in the marketing department and she is searching for a CRM application as well as related data which resides on a couple file servers and data bases. She would have to use operating system utilities to browse the network for the application and data, which as we all know can be a challenge. If she was to connect remotely with a VPN, her workstation would need a pre-configured VPN client and the same applications as her workstation in the office. In the above example the users workspace is stationary, meaning that if she was to use a different workstation or a VPN remotely her environment would be different at each location. MetaFrame Secure Access Managers overcomes this issue by providing a way to configure roles to applications, data and corporate content. This allows corporations to centrally manage applications, data and content and securely deliver them based on job roles. Using the above example, when our user accesses a MetaFrame Secure Access Manager Access Center (Web site) from the office or remotely she gains secure access to the same work environment. The main difference between the two models is that one supports a stationary distributed work environment and the latter supports a centrally managed portable work environment that can be securely accessed from anywhere. The Secure Gateway is the component that provides the ability to securely access a preconfigured work environment from any workstation with LAN, WAN, dial-up or wireless connection. MetaFrame Secure Access Manager offers corporations a way to migrate from a distributed environment to a centrally managed environment where access to corporate services is available to users anywhere. MetaFrame Secure Access Manager can securely delivers productivity applications, Web services, data on file server, data bases as well as intranet and external Web content directly to users desktop. With MetaFrame Secure Access Manager users can securely access a consistent environment from any workstation in the office, home or on the road. The following image shows how MetaFrame Secure Access Manager aggregates corporate content and delivers them to users through a Web browser. Access to a corporations entire infrastructure can be easily, securely managed with MetaFrame Secure Access Manager. 
The following image shows an Access Center page delivering role based access to productivity applications, Web services, file server, data bases as well as existing corporate content. The menu driven system allows folders to be displayed which contain pages. Access can be configured at the folder and page level allowing very granular control to resources. The following example breaks down the components of an Access Center page. 
Content Delivery Services The Content Delivery Services (CDS) provide the ability to configure and display a portal front end through the use of the Access Manager Console (AMC) and XML configuration files. The Secure Access Manager Console allows administrators to configure themes, pages, and CDAs, which control the information displayed to an Access Center user. The architecture of the CDS can be modified to create a customized look and feel for a portal. The look and feel of the CDS results from the deployment of content delivery agents (CDAs), themes, page templates, and pages. They are described in the following table. | Component | Description | | CDA | Generates and presents content in the window of a users browser. | | Theme | Controls the look and feel of page elements like color and font schemes of a portal. | | Page Template | Defines the layout of a page. | | Page | Controls user navigation and displays different content. | Within CDS, an administrator can configure pages to control user navigation and display different content with CDAs. Access Center pages contain one or more cells of content. Each cell may contain one or more Content Delivery Agents (CDAs). CDAs are responsible for generating the meaningful content to be displayed to a user. CDS performs the following tasks: Authenticates the user name and password to open the user session Sets style sheet and theme Gathers information from request to identify what page is being requested and who is requesting it Checks user Authentication Creates the portal page Calls CDAs and puts them into the page Renders Page Application Integration using CDAs and Web Parts MetaFrame Secure Access Manager provides numerous adapters which offer administrators the ability to integrate existing IT infrastructure components without writing a single line of code. Application and content integration is done within the Access Management Center (AMC) with Citrix Content Delivery Agents (CDAs) as well as Microsoft Web Parts. CDAs allow rapid integration of applications and content from various sources like Citrix MetaFrame XP and MetaFrame for UNIX, Web applications, Web Services, Web Forms, shared directories on file servers, data bases, and Document Management solutions as well as various email clients. Microsoft Web Parts enable rapid integration of applications and services like Microsoft Outlook Smart Inbox, Microsoft Great Plains Business, and Microsoft Office Spreadsheet Solutions, syndicated external MSN & MSNBC content such as news, stock reports and weather. Once again, all this is accomplished without writing a single line of code! CDAs and Web Parts are modules of code that acquires content from an application or a Web site and displays the content within an Access Center. Access Center pages can contain one or more CDAs and Web Parts. Citrix, Microsoft as well as developers are continually creating new CDAs and Web Parts. Web Parts are available from Microsofts Web Part gallery (a search from your favorite search engine will provide you with the current URL) and 3rd party CDAs is available from their source. There is a large community of developers as well as a great group of folks from CDAEXCHANGE that develop, test and freely distribute CDAs. The following table shows a list of known CDAs that can be used in an Access Center. | MSAM CDAs | CDAEXCHANGE | Web Parts | | Account Summary for Documentum Adapter for Lotus Notes Web access Adapter for Microsoft Share Point Adapter for Stellent Advanced search for Documentum Adapter for Netmeeting Alert Broadcaster Alert Broadcast Manager Database Viewer Program Neighborhood Embedded Application Event CDA for eRoom Interactive Poll Internal Search Message Center My Account for Documentum Personnel CDA for eRoom Personnel Locator Shared Documents Website Viewer Web Favorites Search Search CDA for eRoom Web Search World Clock | Local Application Access SAP Adaptor Change Password CDA Citrix Support Calendar
AskJeeves Search Embedded Media Player Lycos Search Google Search Database Driven News Scroller Local File Explorer UK Weather Map Basic Calculator Clock Dashboard Personalized Weather Content
| MS Outlook Smart Mailbox MS Outlook Smart Contacts MS Outlook Smart Calendar MSN Encarta Reference MSN MoneyCentral Search MSN MoneyCentral Stock Quotes MSN MoneyCentral Stock Ticker MSN MoneyCentral Search MSNBC Business News MSNBC Stock News MSNBC Stock Quote List MSNBC Weather .NetWire News Hoovers Business Buzz Hoovers Capsule Search Hoovers City Guides Hoovers Headline News Hoovers Industry Updates Hoovers IPO Alerts Hoovers IPO Hot List Hoovers IPO Week Rating Hoovers IPOs on Deck Hoovers Simple Search Hoovers Weather Industry News Aerospace & Defense Industry News Automotive & Transport Industry News Banking Industry News Chemicals Industry News Computer Hardware Industry News Computer Software & Services Industry News Conglomerates Industry News Consumer Products (Durables) Industry News Consumer Products (Non-Durables) Industry News Diversified Services Industry News Drugs Industry News Electronics Industry News Energy Industry News Financial Services Industry News Food, Beverage & Tobacco Industry News Health Products & Services Industry News Insurance Industry News Leisure Industry News Manufacturing Industry News Materials & Construction Industry News Media Industry News Metals & Mining Industry News Real Estate Industry News Retail Industry News Specialty Retail Industry News Telecommunications Industry News Transportation Industry News Utilities Factiva Search Form Module Factiva Search Box Module Factiva Track Summary View Module Factiva Track Folder View | Pages Pages are a set of active server pages (ASP) that display an Access Centers content. A page is also used to define what CDAs appear in the cells of the page based on the identified template. Pages are made available to users via access roles. The Pages node in the Secure Access Manager Console allows administrators to create new pages, define the page type, and identify which CDAs are available on a specific page. Three types of pages can be created in MetaFrame Secure Access Manager. The CDS provides a way for making portal content available to users. As delivered, MetaFrame Secure Access Manager includes a set of template pages. Themes MetaFrame Secure Access Manager themes are a collection of Cascading Style Sheets (CSS) that contain image files and a corresponding color scheme. They control the look and feel of portal pages. MetaFrame Secure Access Manager ships with numerous in-the-box themes, and supports the importation of custom themes. The elements in a theme include background color, background images, buttons, text color, and so on. In addition to a choice of predefined themes, you can create custom themes that match your business needs. Each time you create a new Access Center, MetaFrame Secure Access Manager checks the registry to obtain the default settings for certain CDS configurations. Users If user authentication is enabled, user accounts must be created for each user that needs access to the portal. Accounts can be imported from any trusted Windows NT or Active Directory user domain. Users must be assigned at least one role. Because the CDS includes a security layer based on Windows authentication, administrators can control which CDAs users can access. Once a user is authenticated, a session ID is created on that users behalf. The session ID holds the user name, password, profile, and so on. Roles A Role identifies a group of users who need to access the same set of CDAs within the portal. The role determines what content is available to these users via folders, pages and CDAs. A role also defines the users home page and a default or primary theme. When you add CDAs to a role, the CDAs do not necessarily appear on the page associated with the role. For example, if you add five CDAs to a role, but only three of those CDAs are part of the page associated with the role, then the other two CDAs are available when the user displays the Add tab, if configured. MetaFrame Secure Access Managers Access Center Service Components MetaFrame Secure Access Managers Access Center infrastructure is composed of basic service components, which can be installed on one or more physical machines, depending on client requirements. The following are the MetaFrame Secure Access Manager server components: State Server Agent Servers CDS and CDAs Database for Auditing and Repository Web Servers Administration (Secure Access Manager Console ) The following image shows MetaFrame Secure Access Managers CDS infrastructure as well as existing back-end IT services. 
State Server The first installed machine in a MetaFrame Secure Access Manager server farm is called the primary server. A MetaFrame Secure Access Manager server farm takes its name from the primary server, which is always the State server. There can be only one State server per server farm. A hot stand-by can be used for high availability as well as MS Clustering (Active/Passive). The State server can be considered the brain of a MetaFrame Secure Access Manager server farm. The State server controls how data is cached in memory or written to persistent storage. A State server caches and stores configurations, manages data in memory, and writes data to disk (persistent storage). The State server stores user profiles, role information, portal configurations, CDAs, and page configurations. How is the State server structured? Each Access Center in a server farm has its own ConfigSpace and Cache Types. Each server farm has its own Administration ConfigSpace, which holds licensing and server information (for example, MetaFrame Secure Access Manager Load Balancer Server and MetaFrame Settings) for the server farm. The top level is the ConfigSpace (think of namespacing - this would be the name of the Access Center) and the second level comprises Cache Types (types of configurations organized in a tree structure and that are persistent to disk for fault tolerance). The following image shows the State Server's structure. 
State Server Filebase Size When your user communities become large and State Server performance becomes an issue sizing the State servers filebase becomes critical. Consider the following to assist with your purchase decisions for "RAM drives". The following list shows the State servers filebase sizing components: Session info - starting at 1k per user Access Center pages - starting at 2k each User personalized data - starting at 80 bytes per user For example, 15,000 users with 10 pages this makes for a State Server filebase of 75 MB. Agent Server Agent Servers are the workhorses in a server farm. They process real-time XML messages, execute the requests, and send back the responses to IIS Web servers. Agent servers host the Content Delivery Services (CDS). CDS is responsible for rendering a page and its data. Each server farm requires one Agent server; more can be added to scale capacity. Server Farm Database The MetaFrame Secure Access Manager server farm uses a data storage mechanism, the server farm database, to hold configuration and settings data. The database holds basic file version information and a duplicate of the portal configuration thats on the State server. MetaFrame Secure Access Manager ships with MSDE and supports SQL Server 7.0 SP3, SQL Server 2000 SP2, MSDE 1.0 and 2000. Web Server MetaFrame Secure Access Manager Web Servers host the XML messaging brokering DLL (Host.dll), which creates the XML messaging for internal communication, the Load Balancing service (Loadbalanceservr.dll) and the portals virtual directories. A MetaFrame Secure Access Manager Web server receives an HTTP request from a browser and then sends back an HTTP response. Web servers compose an XML message of the incoming parameters and send it to the Agent servers for processing. The Web servers receive XML responses from the Agent servers, deconstruct them, and write data (HTML, cookies) back to the browser. Web servers use Independent Management Architecture (IMA) to communicate to the Agent servers. Web Servers are not automatically load balanced although they do support the following load balancing solutions: DNS Round Robin NLB Hardware load balancing Access Manager Console The Access Management Console is wizard-driven, centralized management console that runs as an MMC. All service components within a MetaFrame Secure Access Manager server farm are managed through the Access Management Console. The Access Management Console gets and writes its configurations to the State server and repository. Server farm configurations are immediately saved to the repository and to the ConfigStore. You can install the Access Management Console on any Windows 2000 or XP machine. The Access Management Console can be used remotely and can manage multiple MetaFrame Secure Access Manager server farms. The Access Manager Console supports: Multi-site-farm administration Multi-server administration Role configuration Page creation and layout CDA, Web Part and Content importation Import/Export Access Centers Branding Use the Secure Access Manager Console to configure: Sites Folders Pages Users Roles Themes Requirements DABCC.COM requires a highly productive, secure, locked down environment for end-user access both internal and external end-users. DABCC.COM requires the solution to support a maximum of 27 users. DABCC.COM requires the solution to be easy to manage, easy to deploy and easy to use. DABCC.COM requires the solution to require no additional web or development skills. DABCC.COM requires the solution to supply personalized access to the following Rolls. | Role Name | Description | | Engineering | Engineering department group access | | Sales | Sales department group access | | Management | Upper management group access | DABCC.COM requires the solution to contain the following Folders. | Folder Name | Description | | Home | Contains home pages for each of the above rolls | | Administrative Tools | Contains the following pages: Management Console for MetaFrame XP Access Management Console Misc. Administrative Tools | | File Cabinet | Contains the following pages: Data Application Personal | | Home | Contains the following pages: Engineering Home Management Home Sales Home | | Resources | Contains the following pages: Travel Maps HR Documents | | | | | | | | Support | Contains the following pages: DABCC.COM Support Citrix Support Microsoft Support Search | DABCC.COM requires the ability to deploy all MetaFrame XP published and content to end-users along with the following Content Delivery Agents (CDAs) | MSAM CDAs | CDAEXCHANGE | Web Parts | | Alert Broadcaster Alert Broadcast Manager Embedded Application Interactive Poll Internal Search Message Center Personnel Locator Shared Documents Website Viewer Web Favorites Search Web Search World Clock | Local Application Access Citrix Support Embedded Media Player Google Search Database Driven News Scroller Local File Explorer Basic Calculator
| MS Outlook Smart Mailbox MS Outlook Smart Contacts MS Outlook Smart Calendar MSN Encarta Reference MSN MoneyCentral Stock Ticker MSN MoneyCentral Search MSNBC Business News MSNBC Stock News MSNBC Stock Quote List MSNBC Weather .NetWire News Industry News Computer Hardware Industry News Computer | DABCC.COM requires the solution to contain the following Pages. | Page Name | Description | | Management Console for MetaFrame XP | This page contains the followings CDAs and or Web Parts. Embedded Application configure to publish the Management Console for MetaFrame XP The rest of the page will be locked down Grant access to the CTX_Admins group | | Access Management Console | This page contains the followings CDAs and or Web Parts. Embedded Application configure to publish the Access Management Console The rest of the page will be locked down Grant access to the CTX_Admins group | | | | | Misc. Administrative Tools | This page contains the followings CDAs and or Web Parts. Alert Broadcast Manager The page will not be locked down Grant access to the CTX_Admins group | | Data | This page contains the followings CDAs and or Web Parts. Shared Documents configured to display the company Data share This page will be locked down Grand access to all users | | Applications | This page contains the followings CDAs and or Web Parts. Shared Documents configured to display the company Application share This page will be locked down Grand access to all users | | Personal | This page contains the followings CDAs and or Web Parts. Shared Documents configured to display the users Home share This page will be locked down Grand access to all users | | Engineering Home | This page contains the followings CDAs and or Web Parts. MSN MoneyCentral Stock Ticker Local Application Access Personnel Locator Alert Broadcaster Embedded Application configure to publish Microsoft Outlook 2002 MSNBC Weather This page will be locked down Grand access to the Engineering roll | | | | | Management Home | This page contains the followings CDAs and or Web Parts. MSN MoneyCentral Stock Ticker Local Application Access Personnel Locator Alert Broadcaster Embedded Application configure to publish Microsoft Outlook 2002 MSNBC Weather This page will be locked down Grand access to the Management roll | | Sales Home | This page contains the followings CDAs and or Web Parts. MSN MoneyCentral Stock Ticker Local Application Access Personnel Locator Alert Broadcaster Embedded Application configure to publish Microsoft Outlook 2002 MSNBC Weather This page will be locked down Grand access to the sales roll | | Travel | This page contains the followings CDAs and or Web Parts. Website Viewer configured to present the Travel department web site and travel authentication page. This page will be locked down Grand access to all roll | | Maps | This page contains the followings CDAs and or Web Parts. Embedded Application configure to publish Microsoft MapPoint 2004 This page will be locked down Grand access to the sales roll | | HR Documents | This page contains the followings CDAs and or Web Parts. Shared Documents configured to display the HR share This page will be locked down Grand access to all users | | | | | DABCC.COM Support | This page contains the followings CDAs and or Web Parts. Website Viewer configured to present the Travel department web site and travel authentication page. This page will be locked down Grand access to all roll | | Citrix Support | This page contains the followings CDAs and or Web Parts. Website Viewer configured to present the Citrix Support web site This page will be locked down Grand access to all roll | | Microsoft Support | This page contains the followings CDAs and or Web Parts. Website Viewer configured to present the Microsoft Support web site This page will be locked down Grand access to all roll | | Search | This page contains the followings CDAs and or Web Parts. Search Web Search Internal Search This page will be locked down Grand access to all roll | Recommendations Based on the requirements D & D Consulting recommends the deployment of MetaFrame Secure Access Manager 2.0 on one Microsoft Windows 2000 Server. D & D Consulting recommends deploying the above pages, folders, users and rolls to the company wide Access Center. D & D Consulting recommends deploying Secure Gateway for MetaFrame to secure both ICA and HTTP/HTTPS traffic through the Access Center.
|
During the MetaFrame XP ICA Client Design section of the Application Delivery Architecture you will be required to define the MetaFrame XP ICA Clients that will be utilized to access MetaFrame XP published resources, in the MetaFrame Access Suite environment. You do this by looking at the vision and requirements to define the best client for not only the use case but for their physical location. For example, if end-users will be remotely connecting through the Web Interface and or MetaFrame Secure Access Manager them you might want to deploy the Web Client and where as on the LAN the Program Neighborhood Agent client will be deployed to the Microsoft Windows workstations. The following is an example of a basic MetaFrame XP ICA Client Design: | 3. 2. 3 MetaFrame XP ICA Client Design Background A Citrix MetaFrame XP ICA Client is needed to be deployed on workstations in order to access MetaFrame XP published resources. Citrix has many different ICA Clients to accomplish this task but not all Citrix ICA Clients share the same features for connecting to MetaFrame XP servers. The following defines the different ICA Clients and their benefits. Program Neighborhood The Program Neighborhood client has a graphical user interface (GUI) that allows users to browse for application sets from client devices running 32-bit windows desktop operating systems. It gives you complete application control by publishing MetaFrame XP applications to the local desktops. With Program Neighborhood, MetaFrame XP applications can be pushed to the client device, integrated into the local desktop, or pushed directly to the Start menu. The Program Neighborhood allows for the following functionality. TAPI support Allows for dial-up connections. Citrix ICA Clients for DOS and Win16 can interpret Windows 9x and Windows 2000 modem configuration files into legacy INI files to ensure optimum performance for dial-up users. International keyboard support for Web browsers Allows users worldwide can use the Citrix ICA Clients with Internet Explorer and Netscape, current versions of which support international keyboard layouts. Client device mapping Allows users can transparently access local printers and disk drives. Drive letters on the MetaFrame XP server are configurable so client devices can keep their drive letters. Long filenames are supported. Any printers detected when you connect to a MetaFrame XP server are automatically mapped for use with the applications users run on the server. Client printers can be browsed and connected to in the same way as network printers (Windows, WinCE, and DOS Clients). COM port mapping Allows users can transparently access local COM ports. The ICA Client COM port redirector lets ICA Client users (DOS, Win16, and Win32 platforms) use most peripherals that connect to serial ports as if they were connected to a COM port on the MetaFrame XP server. Windows clipboard integration Allows users can cut and paste data between ICA sessions and local applications using the Windows Clipboard. Audio support Allows MetaFrame XP provides audio support for most ICA Clients. You can use compression to maximize bandwidth utilization. ICA supports audio through Sound Blaster 16-compatible sound hardware in DOS and Windows client devices. Disk caching and data compression. These options increase performance over low speed asynchronous and WAN connections. Disk caching stores frequently used application images (such as icons and bitmaps) locally, increasing performance by avoiding retransmission of locally cached data. Data compression reduces the amount of data sent over the communications link to the client device. Seamless windows support. Certain ICA Clients support the seamless integration of local and remote applications on the local desktop. Configuring an ICA connection for seamless windows lets users switch among local and remote applications with keyboard controls or the local taskbar. Seamless windows connections also support remote application icons on the local desktop, and tiling and cascading between local and remote Windows applications. Business recovery. ICA Clients support multiple site addresses (for primary and hot backup, for example) for the same published application name. This feature helps assure consistent connections to published applications in the event of server disruptions. Client print manager. Users can define which client printers can be configured on their client devices. This feature provides a means to store printer properties on a per-client-device basis while simplifying printer configuration for non-Windows clients. Multi-monitor support. The ICA Win32 Client supports the multi-monitor features of Microsoft Windows 98, Windows 2000, and Windows XP clients. It also supports the virtual desktop feature provided by some graphics cards for Windows 95 and Windows NT 4.0. Panning and scaling. If the ICA session is larger than the client computers desktop, you can pan the ICA session window around the full session desktop. Scaling allows you to view more of the ICA session at one time without panning by shrinking the perceived size of the ICA session. If you do not want to deliver applications using the Web (Web Interface and or MetaFrame Secure Access Manager), publish the applications for direct access. To directly access applications published on MetaFrame XP servers, users launch the ICA Win32 Program Neighborhood Client to browse for application sets or create custom ICA connections to Citrix servers or published applications. Remember this could add client configuration requirements. Program Neighborhood Agent You can use the ICA Win32 Program Neighborhood Agent with Web Interface to push links to applications directly to users Windows desktops. Because users do not run a Web browser to view a Web page, accessing remote applications is just like accessing local applications. You can also use Client to Server Content Redirection that will allow you to open local files with MetaFrame published applications. Remember this requires the installation, but not the end-users use, of the Web Interface. Users work with your published resources the same way they work with local applications and files. Published resources are represented throughout the client desktop, including the Start menu and the Windows system tray, by icons that behave just like local icons. Users can double click, move, and copy icons, and create shortcuts in their locations of choice. The Program Neighborhood Agent works in the background. Except for a shortcut menu available from the system tray, it does not have a user interface. ICA Web Clients Use the ICA Win32 Web Client if you want users to access published resources via Web Interface 2.0 and or MetaFrame Secure Access Manager 2.0. The full Web Client is available as a self-extracting executable and as a .cab file. At approximately 1.8MB in size, this package is significantly smaller than the other ICA Win32 Clients. The smaller size allows users to more quickly download and install the client software. You can configure the ICA Win32 Web Client for silent user installation. The ICA Win32 Web Client (Minimal Installation) is a smaller version of the Web Client designed to support the core functions of MetaFrame XP for users running Internet Explorer. At approximately 1.01MB in size, this is the smallest Web Client available for use with MetaFrame XP products. Use this client when your environment requires a small download and minimal functionality, or use this client in a locked down environment where installing a traditional client may not be allowed by security settings. The ICA Win32 Web Clients support the following features: | Feature | ICA Win32 Web Client | ICA Win32 Web Client (Minimal Installation) | | User-to-user shadowing | X | | | Smart card support | X | X | | Content redirection | X | | | Enhanced content publishing support | X | X | | Roaming User Reconnect | X | | | Support for SSL/TLS encryption of ICA session data | X | X | | Support for the new Web Interface for MetaFrame XP, NFuse Classic, and the Web Interface Extension for MetaFrame XP | X | X | | Support for the Secure Gateway for MetaFrame | X | X | | Enhanced Internet proxy support | X | | | Auto Client Reconnect | X | X | | Novel Directory Services support | X | | | Extended parameter passing | X | | | Seamless windows | X | | | Client device mapping | X | | | Client drive mapping | X | X | | Client printer mapping | X | X | | | | | | Sound support | X | | | TCP/IP+HTTP server location | X | X | | Wheel mouse support | X | | | Multiple monitor support | X | | | Panning and scaling | X | | | Per-user time zone support | X | | | Windows clipboard integration | X | | | Low bandwidth requirements | X | X | | SpeedScreen latency reduction | X | | | Disk caching and data compression | X | | ICA Java Client The ICA Java Client is a Java applet that provides access to applications running on a MetaFrame server farm from any computer device with a standard Web browser. The applet is a download and run, thus creating the perception of a clientless connection. The Java Client is optimized for use in Web environments where it is not possible or desirable to install software on the client device. The following are the features available in the Java ICA Client 7.0. Seamless support Content redirection Enhanced content publishing Reconnection to arbitrarily sized sessions Mouse wheel support when using any J2SE (Java 2 Platform, Standard Edition) Version 1.4 environment Support for a range of security technologies, including proxy servers, the Secure Gateway for MetaFrame, SSL encryption, TLS encryption, and ICA encryption. Automatic reconnection when a session ends Ability to pass parameters to published applications. Video support Resolutions up to 65536 x 65536 256 color to 24-bit (16.7 million colors) Client clipboard mapping. Client drive, printer, and audio mapping. Data compression to reduce the amount of data that needs to be transferred over the network. Data caching to improve performance on bandwidth-limited connections. SpeedScreen Latency Reduction to improve performance over high latency connections by providing instant feedback to the user in response to typed data or mouse clicks. Business recovery to provide consistent connections to published applications in the event of a master ICA browser server disruption. Hotkeys to use as substitutes for the standard Windows hotkeys for a published application. Shadowing. From MetaFrame XP Feature Release 2, user-to-user shadowing is available as well as administrator-driven shadowing, providing the MetaFrame XP server is configured appropriately. For further information about shadowing, see the MetaFrame XP documentation. Requirements DABCC.COM has defined the requirement to minimize the ability for end-users to create custom connections. DABCC.COM would like to provide all the features on the ICA Client to their end-users, minus and GUI locally installed GUI interfaces. DABCC.COM would like to LAN users to not require and additional authentication and or mouse clicks other than the application. Recommendations Based on the requirements D&D Consulting recommends to deploy the ICA Web Client (full) via Web Interface 2.1 and MetaFrame Secure Access Manager 2.0 to remote end-users client devices. While LAN users will be deployed the Program Neighborhood Agent ICA Client to minimize on end-user training while maximizing productivity. |
During the Security Architecture you will be required to define the technologies to be used to secure the proposed MetaFrame Secure Access Manger 2.0 environment. It also defines the password management architecture. The Security Architecture section consists of the following sections: Secure Gateway for MetaFrame Design MetaFrame Password Manager Design The following is an example of a Security Architecture: | 3. 3. Security Architecture The Security Architecture defines the logical structure that will be used to secure the MetaFrame Secure Access Manager 2.0 environment. In the following section D & D Consulting will define the technologies recommended to secure the proposed MetaFrame Access Suite environment. D & D Consulting will also define the method that will be used to maintain and manage password and application authentication allowing end-users seamless, secure access from anywhere, any device, to any application and or content. The Security Architecture section of the Design Phase consists of the following sections: Secure Gateway for MetaFrame Design MetaFrame Password Manager Design |
During the MetaFrame Secure Gateway for MetaFrame Design section of the Security Architecture you will be required to define the security mechanism to be used to secure the MetaFrame Secure Access Manager deployment. The following is an example of a Secure Gateway for MetaFrame Design: | 3. 3. 1 Secure Gateway for MetaFrame Design Background Secure Gateway for MetaFrame, Version 2.0, is a component of MetaFrame XP Feature Release 3. Secure Gateway is designed to work with Web Interface and or MetaFrame Secure Access Manager to provide a single, secure, encrypted point of access through the Internet to MetaFrame XP Servers and or MetaFrame Secure Access Manager Servers. Whether Secure Gateway is used for internal or remote access, the service transparently encrypts and authenticates all ICA, HTTP and or HTTPS connections to protect against data tampering and theft. A typical Secure Gateway deployment involves the interaction of five MetaFrame Access Suite components: A client device with an ICA Client, Version 7.0 or later, installed A Web Interface and or Logon Agent (The Logon Agent is only required for MetaFrame Secure Access Manager deployments) A Secure Gateway for MetaFrame XP server A Citrix MetaFrame XP Server(s) with at least one of them running the XML service Note: HTTP / HTTPS traffic will only be secured if you will be utilizing Secure Access Manger 2.0 and above. In the following sections we will look at the individual components of Secure Gateway for MetaFrame. Secure Gateway Service (SG) The Secure Gateway Service brokers every connection request originating from the Internet to the enterprise network. The Gateway Service listens for incoming SSL traffic, decrypts it and relays it to servers on the trusted network. Gateway Service registry entries govern the service behavior. The entries are located in: HKLM\CurrentControlSet\Services\CtxSecGwy. Unlike earlier deployments of Secure Gateway, it does not perform authentication of incoming requests. Instead, the gateway service defers authentication to the Authentication Service and uses the STA to guarantee that each user was authenticated before they receive network resources. This design allows the Secure Gateway service to inherit whatever authentication methods are in place on your web server. For example, if the Secure Gateway and or Logon Agent server(s) are protected with RSA SecurID, then by design only SecurID-authenticated users will be able to traverse the secure gateway server. The following list describes how the Gateway Service handles both ICA and HTTP traffic. For ICA traffic, the Gateway Service contacts the STA to validate the ICA file ticket, originally requested by Web Interface and or MetaFrame Secure Access Manager. For HTTPS traffic, the Gateway Service contacts the Authentication Service (AS) to validate the authentication cookie (originally set by the Logon Agent). If the cookie is valid, the HTTP request is proxied and if cookie is invalid or missing, the Logon Agent login page is sent to the user. (Note: HTTP / HTTPS traffic is only supported through MetaFrame Secure Access Manger) The final HTTP or ICA connections made through the gateway are initiated by the gateway service. Therefore the gateway server must be able to resolve the FQDN of any internal server to which users will connect. The gateway server must also resolve the names of any other components like the Logon Agent, AuthService, STA or Gateway Proxy. If do not have access to DNS servers then you will be required to use a HOSTS file on the Secure Gateway service server and any end-user devices who are not able to resolve the Secure Service device by FQDN. Citrix support have defined a baseline running the Secure Gateway service, Logon Agent and or Web Interface on a 1GHz CPU server to be: 30 SSL connections per second Supporting 1,000 concurrent ICA or HTTPS sessions. Secure Ticket Authority (STA) Service The Secure Ticket Authority (STA) is a general purpose XML web service that exchanges information from application enumeration servers for randomly generated tickets, and vice versa. It is used to control access for a Secure Gateway service server. Web Interface and or MetaFrame Secure Access Manager servers authenticate users, enumerate published application icons and produce ICA files for a client to allow them to connect to a published application and resources through a gateway server. The Secure Ticket Authority is actually an Internet Server Application Program Interface (ISAPI) DLL. By default it is installed on all primary server in a MetaFrame Secure Access Manager server farm (requires IIS). IIS calls the ISAPI DLL when a ticket is requested. The primary purpose of the STA is to generate and validate tickets for access to internal network resources. The ISAPI extension is called CtxSta.dll and is hosted in the /Scripts folder by default. Other components communicate with the STA using XML over HTTP. Secure Ticket Authority (STA) tickets are purged immediately after a successful data request so they may only be used once. They are also deleted after a configurable timeout (default 100 seconds) if not used. A single STA may be shared among any number of secure gateway servers and application enumeration servers. The STA is not restricted to any particular domain, farm or application enumeration server. It is an anonymous XML service. Citrixs best practices recommend to be installed on a stand alone server that is not a member of the user domain. Logon Agent (LA) The Logon Agent is an ASP Web based login service which displays a login page and processes logon requests for users desiring to login to a MetaFrame Secure Access Manager environment. The Logon Agent is a collection of ASP scripts hosted via IIS. Clients are not able to access the Logon Agent without going through the gateway. If they do, the Access Center will fail to load. This is true whether the Logon Agent is co-located on the same box as the gateway service or on a separate server. MetaFrame Secure Access Manager 2.0 ships with two logon page templates one using basic username, password and domain and the second supporting integration with RSA SecurID. Upon successful authentication, the AuthService returns a Session cookie, redirection URL, Other cookies required by MetaFrame Secure Access Manger and a list of all available internal web servers. The Logon Agent can handle approximately 20 logons per second when run on a standalone 1GHz server. By default, the logon agent is installed on the gateway server. This is fine for small deployments (<1000 users). But for large deployments, the logon agent should be moved to separate machines. If necessary, multiple logon agents per gateway could be used. Authorization Service The Authorization Service (AS) is a .Net ASMX file which is published anonymously by IIS. The default URL is \<Access_Center>\AuthService\AuthService.asmx and is included as part of each MetaFrame Secure Access Manager 2.0 Access Center. The AS Authenticates users, generates and validates cookies for gateway HTTPS sessions. Typically the AS and STA can be co-located on the same machine, but this is not a requirement. The Authorization Service can be copied to two load balanced IIS web servers. The Authorization Service can accept twenty connections per second. Secure Gateway Proxy (Double DMZ design only) This component is a Secure Gateway service which can proxy traffic from another Secure Gateway service to a trusted network. Using a Secure Gateway Proxy its possible to deploy the SG where a two-stage DMZ separates the Internet from the trusted network. The following is an example of a double-hop scenario. 
SSL Certificates Digital certificates are used between the end and the Gateway service as well as other MetaFrame Access Suite servers to verify each others identity and authenticity. You have the option to use Digital certificates that are issues from a commercial or private certificate authority. A commercial certificate authority is a trusted company like VeriSign that issues digital certificates used to create digital signatures and public-private key pairs. A private CA is one that you or your organization manages. The role of the Certificate Authority is to guarantee that the individual that requested and received the SSL certificate is, in fact, who he or she claims to be. The main advantage for using a commercial CA is that the root certificates for most commercial CAs are built into Internet Explorer and Windows server products. If you use server certificates from a private CA you will have to distribute and install the root certificates on all client devices and servers connecting to SSL secure servers. When a CA issues a certificate, the CA vouches for the subject's identity (With a public CA we are talking about the gateway machine). If the name is an FQDN it is globally unique, in contrast to a NETBIOS name which is not. CAs can have different issuance policies some insist on FQDNs, others may not. But the relying party (the person ordering the certificate) needs to know what they are getting because Citrix enforces a fixed policy of FQDN only. The following image shows where a root as well as server certificate must be installed. Root Server + Root Server 
It is strongly recommended to use commercial certificates. You will only need to use a public certificate authority (CA) to generate one SSL server certificate which will be installed on the Secure Gateway service / Logon Agent / Web Interface machine. (two SSL certificates are required for a fault tolerant solution) By utilizing a public certificate authority you will not be required to distribute and install root certificates on all your end users Windows workstations. Should you decide to use a private certificate authority you will be required to install the CAs private root certificate on all the users workstations. With a private CA access to your Access environment will be limited to workstations that have the private root certificate installed. Requirements DABCC.COM has defined the requirement that all communications, from client to server, be secured with a lightweight security solution. DABCC.COM has also defined the need for secure remote access from any location without the need for software to be installed on all client devices. Recommendations D & D Consulting recommends DABCC.COM to implement Secure Gateway for MetaFrame. Secure Gateway for MetaFrame secures ICA traffic, from client to server. With the addition of the Web Interface 2.1, DABCC.COM will be able to achieve the requirement of remote access from any location on almost any device. In order to achieve high availability for secure client to server requests, DABCC.COM recommends implementing two Windows 2000 Servers running the Secure Ticket Authority service and the Secure Gateway service. |
During the MetaFrame Password Manager Design section of the Security Architecture you will be required to define the directory service to be used, any applications that will need to be preconfigured and any custom agent settings. The following is an example of a MetaFrame Password Manager Design: | 3. 3. 2. MetaFrame Password Manager Design Background Citrix MetaFrame Password Manager provides password security and single sign-on access to Windows, Web, proprietary, and host-based applications running on MetaFrame XP servers and local Microsoft Windows workstations. End-users logon to their workstation and MetaFrame Password Manager does the rest, automatically logging the end-user on to password-protected resources. The MetaFrame Password Manager Agent also enforces password policies, monitors all password-related events, and automates password changes. The goal behind MetaFrame Password Manager is to simplify end-user computing leaving them more productive while saving company dollars in support and administration of end-user passwords. This is done by allowing the end-users to authenticate once, and then MetaFrame Password Manager authenticates users to their other password-protected applications. Users no longer need to remember multiple usernames and passwords to access network applications and resources thus reducing one of the most widespread sources of security breaches users recording and storing their passwords under mouse pads or keyboards. MetaFrame Password Manager also improves network security by helping to eliminate poor password management by making frequent automatic password changes and imposing stricter password policies. In addition, MetaFrame Password Manager enhances security by centralizing security policies, providing an encrypted file for each users credentials, and allowing IT administrators to automatically generate passwords that are more difficult to guess. MetaFrame Password Manager is comprised of the following three systems: MetaFrame Password Manager Agent MetaFrame Password Manager Console MetaFrame Password Manager Directory Service MetaFrame Password Manager Agent The agent is the client-side component of MetaFrame Password Manager. The agent acts as an intermediary between users and applications that require authentication. When a user tries to access an application that requires authentication, the agent intercepts the applications request for authentication. The agent finds the correct credentials in the local credential store and submits them to the application. Credentials are also saved in a central store, in shared folders, or in Microsoft Active Directory. The agent synchronizes the local store with the central store, allowing users to maintain their credentials from any workstation. In addition, the agent provides users with following features: System tray menu. The agents system tray menu provides easy access to MetaFrame Password Manager functionality, allowing users to manage logons, set preferences, and access online help. Logon Manager. The agents Logon Manager provides users with a central console for viewing, editing, and deleting logons. New logon setup. Users can set up new logons quickly using the New Logon wizard. The agent detects each logon request and stores information entered in the New Logon wizard for retrieval the next time the user launches the application. User mobility. The agent supports remote and mobile users. Remote users can access their credentials whether they are connected or disconnected from the corporate network. Mobile users can easily move from one machine to another and multiple users can securely share one workstation. MetaFrame Password Manager Console The MetaFrame Password Manager console allows an administrator to manage all aspects of application password management. It is used to configure password definitions utilized by the agent and enhances the functionality of the agent; the agent has limited functionality without console configurations. With the console, you can use wizards to create password policies, configure applications for single sign-on support (application definitions), and manage users credentials and agent settings. You can create a central store where all the configuration and agent settings are saved for retrieval and use by the agents. The console has five nodes in the left pane. You select a node to display specific options in the right pane. The right pane is where you specify the parameters for the selected node. The console includes the following features: Application definitions. The identifiers an agent needs to detect logon and password-change pages, where to enter the users credentials, and how to submit those credentials are stored in application definitions. MetaFrame Password Manager offers a large selection of preset application definitions, but you can easily add your own, usually in a few minutes. Password policies. The console allows you to set password policies for automatically-generated passwords. Password policies control password length and the type and variety of characters used in each password. Creating password policies ensures that your companys security policies are applied by MetaFrame Password Manager. Password sharing. Password Sharing Groups automate and simplify the password change process for applications that share a common password. If an application belongs to a Password Sharing Group and there is a password change, the change propagates to all other applications within the group. Other options. You can configure several agent settings with the console to meet the particular needs of your organization. For example, you can disable the button that allows users to reveal passwords. MetaFrame Password Manager Directory Service MetaFrame Password Manager synchronizes logon credentials, agent settings, and application definitions between agents through a directory service central store. This synchronization ensures that credentials, agent settings, and application definitions remain up-to date and secure. Synchronizing user credentials, for example, enables mobility, eases deployment, simplifies administration, and improves security. MetaFrame Password Manager provides local credential storage in an encrypted database and the agent settings are stored in the registry. You can set up MetaFrame Password Manager to synchronize with either a shared folder or Microsoft Active Directory. Active Directory has the benefits of using your companys existing infrastructure providing faster, easier access to the synchronizer. It does not require a Microsoft connection licenses, and enabling synchronized data to be available throughout the enterprise. Using a shared folder for synchronization enables you to perform synchronization without having to extend the Active Directory schema and for environments where Active Directory is not an option. You can migrate to Active Directory later. Both options are equally secure. Requirements DABCC.COM has defined the requirement to improve network security while cutting costs and increasing productivity. DABCC.COM has defined the requirement of managing authentication for all password protected applications and network resources. Recommendations Based on the requirements, D & D Consulting recommends deploying MetaFrame Password Manager 2.0 to improve network security while cutting costs and increasing productivity. D & D Consulting recommends utilizing the Network Share directory service to reduce the risks associated with an Active Directory Schema extension. D & D Consulting will create application definitions for all MetaFrame XP published applications. | |
|